View on Github
Secrets Management

Secrets Management #

Control ID: SDLC-CTRL-0014
TLDR: Build and runtime secrets are stored securely and documented appropriately
Rationale: Leaked secrets such as api keys, cryptography keys, identity tokens are a common attack scenario.

Mitigates Risk

SDLC-RISK-0002:
Insider Threat
SDLC-RISK-0004:
Credential and Secret Exposure
SDLC-RISK-0007:
Unauthorised System Access

Background #

Secrets must be stored in a secure way, and a documented in a central place. Cryptographic failures are the second highest risk in the OWASP top ten so rigor and process is essential.

Change Records

How we implement this control #

Infrastructure secrets #

  • We use AWS secrets manager to store infrastructure secrets.
  • Infrastructure secrets are handled with a separate terraform-server repository together with other server information.
  • The update, creation and deletion of secrets is described in secrets/README.md.
  • We use a set of helper programs to update the secrets for the different servers. In addition to updating the secrets, the helper program also:
    • Tracks which server the secret was updated for.
    • When and by whom the secret was updated.
    • When does the secret expire.
  • We have a daily GitHub job that checks if any secret will expire within the next month.
  • If a secret is going to expire soon a message is sent to our dedicated slack channel
  • Every 3 months we check if any new infrastructure secrets have been added. In the server repository there is a bin/check_new_secrets.sh script that will do the check and tell you if any secrets has been added.
  • The evidence that we ran check for new secrets are recorded in the secrets-updated flow.
  • We have a daily GitHub job that checks if it is more than three months since last time we checked for new secrets.

CI workflow secrets #

  • We use GitHub action secrets to store CI workflow secrets.
  • CI workflow secrets are either repository secrets or organization secrets.
  • Organization and respository secrets are tracked in the secrets repository.
  • The secrets repository contains a README.md file with general information and one file per secret. Each file gives detailed information about how to get a new secret and how to update them. It also contains
    • When and by who was the secret updated.
    • When does the secret expire.
  • The secrets repository has a daily GitHub job that checks if:
    • any secret will expire within the next month
    • any new secrets have been added
  • If a secret is going to expire soon a message is sent to our dedicated slack channel
The Secure SDLC Process Template is maintained by
© Kosli 2026, all rights reserved
CCPA Do not sell my info