TIP · 4 min read
Secrets Management Quick Wins
Most breaches I chase start with a leaked credential — committed to git, shipped in a container, or pasted in Slack. These quick wins remove 90% of the exposure.
Scan history, not just HEAD
Run gitleaks/trufflehog against full git history and every container image. Rotate anything that ever existed in a public commit.
Short-lived over long-lived
OIDC federation for CI, IAM Roles Anywhere for workloads, STS for cloud. Long-lived keys belong in a museum.
- GitHub OIDC → AWS/GCP/Azure
- Per-job tokens, never repo-wide PATs
- Auto-expire dev creds in 1 hour
Centralize the vault
One vault, audited access, automatic rotation. Apps fetch at runtime — never bake secrets into images.
Tools mentioned
gitleakstrufflehogVaultAWS Secrets ManagerDoppler
⟩ takeaway
Treat secrets like radioactive material: short half-life, tracked custody, no copies lying around.
⟩ keep reading
Related articles
Hardening Your Cloud in 5 Steps
A practical checklist to lock down AWS, Azure and GCP workloads before attackers find the gaps.
Prompt Injection: The OWASP LLM #1 Risk
How indirect prompt injection turns helpful AI into an attacker tool — and how to defend against it.
Inside a Real SOC: A Day in the Life
From the first SIEM alert to incident closure — what L1/L2/L3 actually looks like in practice.