| name | secrets-management |
| description | Secure credential handling using environment variables, GitHub secrets, and never committing secrets to source code |
| license | Apache-2.0 |
Secrets Management Skill
Purpose
Ensure secure handling of API keys, tokens, and credentials in MCP server development. Zero tolerance for hardcoded secrets.
When to Use
- ✅ Adding external API integrations
- ✅ Configuring CI/CD pipelines with secrets
- ✅ Setting up MCP server authentication
- ✅ Managing GitHub tokens for MCP servers
- ✅ Reviewing code for credential exposure
Golden Rules
Rule 1: Never Commit Secrets
const API_KEY = "sk_live_abc123def456";
const API_KEY = process.env['EP_API_KEY'] ?? '';
Rule 2: Use Environment Variables
const config = {
timeout: Number.parseInt(process.env['EP_REQUEST_TIMEOUT_MS'] ?? '10000'),
baseUrl: process.env['EP_BASE_URL'] ?? 'https://data.europarl.europa.eu/api/v2',
};
Rule 3: GitHub Secrets for CI/CD
env:
EP_API_KEY: ${{ secrets.EP_API_KEY }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
Rule 4: MCP Server Token Security
MCP server tokens are injected at runtime by the GitHub Copilot environment via .github/copilot-mcp.json. Secrets are never stored in configuration files — GitHub resolves ${{ secrets.* }} references during workflow execution:
Environment variables for local development:
export GITHUB_TOKEN="ghp_your_token_here"
Detection and Prevention
.gitignore Must Include
.env
.env.local
.env.production
*.key
*.pem
secrets/
credentials/
Pre-commit Scanning
Incident Response
If a secret is committed:
- ✅ Rotate the compromised secret immediately
- ✅ Revoke old secret from all systems
- ✅ Review access logs for unauthorized access
- ✅ Clean git history if possible
- ✅ Document incident
ISMS Policy References
Core policies:
Supporting policies: