security-secrets-management
Security Secrets Management
Overview
Use this skill to prevent secret exposure and ensure secrets remain manageable throughout their lifecycle.
Scope Boundaries
- New secrets are introduced or existing secrets are rotated/migrated.
- Secret storage and runtime distribution mechanisms are being designed.
- Secret exposure response and revocation capability need verification.
Templates And Assets
- Secrets inventory template:
assets/secrets-inventory-template.csv
Inputs To Gather
- Secret inventory by owner, purpose, and environment.
- Storage and access architecture (vault/KMS/secret manager, runtime injection path).
- Rotation cadence, revocation requirements, and dependency constraints.
- Audit and compliance obligations for access and change tracking.
Deliverables
- Secret lifecycle policy covering creation, storage, usage, rotation, and retirement.
- Access control model with least-privilege and break-glass constraints.
- Rotation runbook with rehearsal and rollback guidance.
- Detection and response playbook for secret leakage events.
Workflow
- Build/refresh secret inventory with
assets/secrets-inventory-template.csv. - Enforce non-hardcoded secret policy across source, CI, build artifacts, and logs.
- Choose distribution model (pull, sidecar, env injection, runtime fetch) based on blast radius and operability.
- Define rotation strategy by secret type, including coordinated client update order.
- Implement auditing for secret reads, writes, and policy changes.
- Rehearse emergency rotation and revoke compromised credentials end-to-end.
- Verify decommissioned secrets cannot still authenticate.
Quality Standard
- Every secret has a clear owner and rotation/revocation process.
- Runtime access is identity-bound and minimally scoped.
- Secret exposure can be detected and remediated quickly.
- Audit trails support incident and compliance investigations.
Failure Conditions
- Stop when any production secret is stored in plaintext repositories.
- Stop when rotation cannot be executed without prolonged outage.
- Escalate when secret access is unaudited or broadly shared.
More from kentoshimizu/sw-agent-skills
graph-algorithms
Graph algorithm workflow for modeling entities/relations and selecting traversal, path, ordering, or flow strategies. Use when correctness or performance depends on graph representation and algorithm choice; do not use for schema-only modeling or deployment topology planning.
14bash-style-guide
Style, review, and refactoring standards for Bash shell scripting. Trigger when `.sh` files, files with `#!/usr/bin/env bash` or `#!/bin/bash`, or CI workflow blocks with `shell: bash` are created, modified, or reviewed and Bash-specific quality controls (quoting safety, error handling, portability, readability) must be enforced. Do not use for generic POSIX `sh`, PowerShell, or language-specific application style rules. In multi-language pull requests, run together with other applicable `*-style-guide` skills.
11architecture-clean-architecture
Clean Architecture workflow for enforcing dependency direction, stable domain boundaries, and use-case-centered application design. Use when teams must separate business rules from frameworks and delivery mechanisms; do not use for isolated module cleanup without boundary implications.
11powershell-style-guide
Style, review, and refactoring standards for PowerShell scripting. Trigger when `.ps1`, `.psm1`, `.psd1` files, or CI workflow blocks with `shell: pwsh` or `shell: powershell` are created, modified, or reviewed and PowerShell-specific quality controls (error handling, parameter validation, readability, operational safety) must be enforced. Do not use for Bash, generic POSIX `sh`, or language-specific application style rules. In multi-language pull requests, run together with other applicable `*-style-guide` skills.
10github-codeowners-management
Govern CODEOWNERS rules so review routing reflects real ownership and risk boundaries on GitHub. Use when repository ownership mapping or mandatory reviewer rules must be defined, updated, or audited; do not use for non-GitHub runtime architecture or data-layer design.
9security-authentication
Security workflow for authentication architecture, credential lifecycle, and session/token assurance. Use when login, identity proofing, MFA, or session security decisions are required; do not use for authorization policy design or non-security quality tuning.
9