| name | secrets-management |
| description | Use this skill when handling API keys, passwords, tokens, private keys, or any sensitive credential. Never hardcode secrets in source code — apply this whenever the word "key", "token", "password", or "secret" appears in the task. |
| category | security |
Secrets Management
Rules:
- Never hardcode secrets in source files, configs committed to git, or logs.
- Use environment variables for local development (
python-dotenv).
- Use a secrets manager (AWS Secrets Manager, HashiCorp Vault, 1Password CLI) in production.
- Add
.env and *.pem to .gitignore before the first commit.
- Rotate secrets immediately if they are exposed (leaked in a commit, log, or error message).
Scanning: Use ggshield, truffleHog, or git-secrets in CI to block secret commits.
Anti-patterns:
os.environ.get('KEY', 'hardcoded_default') in production code.
- Logging full request/response bodies that may contain tokens.