Secrets Management

Secrets management is about keeping credentials out of places they do not belong: Git history, logs, screenshots, issue comments, Docker images, and random files on laptops.

Secrets include API tokens, SSH private keys, database passwords, TLS private keys, cloud credentials, and signing keys. They should live in a secret store or platform feature built for that job, not in a .env file that accidentally gets committed.

Rotation matters too. A secret that cannot be rotated is a liability waiting for a bad day. Build systems so a leaked token can be revoked and replaced without rebuilding the whole world.