Summary
The repository can detect hardcoded secrets (secrets-gitleaks) but has no skill for managing secrets correctly. HashiCorp Vault is the most widely adopted open-source secrets management platform and is the natural complement to Gitleaks: once secrets are found and rotated, they need a home. This skill would close that loop.
Requested Skill: devsecops/secrets-vault
What to Cover
Core workflows:
- Secrets injection into CI/CD — pull secrets from Vault into GitHub Actions / GitLab CI at runtime instead of storing them as repo secrets
- Dynamic secrets — generate short-lived database credentials, AWS IAM credentials, and PKI certificates on demand
- Secret rotation — rotate static credentials (DB passwords, API keys) with audit trail
- Audit logging — query Vault audit log for secret access patterns (compliance evidence for SOC2 CC6)
Key Vault paths and engines:
# KV secrets engine (static secrets)
vault kv put secret/myapp/prod db_password="..." api_key="..."
vault kv get -format=json secret/myapp/prod
# Dynamic AWS credentials (expire after TTL)
vault read aws/creds/my-role
# PKI — issue short-lived TLS cert
vault write pki/issue/my-role common_name="app.example.com" ttl="24h"
CI/CD integration pattern:
# GitHub Actions — vault-action
- uses: hashicorp/vault-action@v3
with:
url: ${{ secrets.VAULT_ADDR }}
method: jwt
role: github-actions
secrets: |
secret/data/myapp/prod db_password | DB_PASSWORD;
secret/data/myapp/prod api_key | API_KEYSecurity Considerations
- Never store Vault tokens in environment variables long-term — use AppRole or JWT auth
- Enable audit logging before any production use (SOC2, PCI-DSS requirement)
- Use namespaces for multi-team isolation
- Set
max_lease_ttl on dynamic secret roles to enforce expiration
Frameworks to Map
- SOC2 CC6.1 (Logical and Physical Access Controls)
- PCI-DSS Req 3.4 (render PANs unreadable), Req 8.3 (MFA for credentials)
- NIST SP 800-57 (key management)
- CWE-522 (Insufficiently Protected Credentials)
- OWASP Top 10 A02:2021 (Cryptographic Failures)
Relationship to Existing Skills
- Upstream:
secrets-gitleaks detects leaked secrets → remediation is to move them to Vault
- Downstream:
compliance/policy-opa can enforce OPA policies that require Vault-sourced secrets in K8s manifests
Summary
The repository can detect hardcoded secrets (
secrets-gitleaks) but has no skill for managing secrets correctly. HashiCorp Vault is the most widely adopted open-source secrets management platform and is the natural complement to Gitleaks: once secrets are found and rotated, they need a home. This skill would close that loop.Requested Skill:
devsecops/secrets-vaultWhat to Cover
Core workflows:
Key Vault paths and engines:
CI/CD integration pattern:
Security Considerations
max_lease_ttlon dynamic secret roles to enforce expirationFrameworks to Map
Relationship to Existing Skills
secrets-gitleaksdetects leaked secrets → remediation is to move them to Vaultcompliance/policy-opacan enforce OPA policies that require Vault-sourced secrets in K8s manifests