Secret Management
Secret management is the practice of securely storing, accessing, distributing, and rotating sensitive credentials like API keys, database passwords, encryption keys, and service tokens throughout an application's lifecycle.
Understanding Secret Management
Secrets are the credentials that grant your application access to databases, third-party APIs, encryption operations, and other services. Poor secret management — hardcoded values, shared credentials, stale keys — is one of the most common root causes of data breaches. A single leaked database password or admin API key can compromise an entire system.
The hierarchy of secret management maturity starts with environment variables (better than hardcoding), progresses to encrypted secret files, and culminates in dedicated secret management systems like HashiCorp Vault, AWS Secrets Manager, or Google Secret Manager. These dedicated systems provide encryption at rest, access controls, audit logging, and automated rotation.
Secret rotation — regularly changing credentials on a schedule or in response to events — limits the blast radius of a compromise. If a secret is leaked but has already been rotated, the exposed credential is useless. Automated rotation through your secret manager eliminates the manual toil and reduces the risk of rotating to a value that is itself weak.
Key principles include the principle of least privilege (each service gets only the secrets it needs), separation of environments (development secrets must differ from production), audit logging (track who accessed which secret and when), encryption at rest (secrets should never be stored in plaintext in databases or files), and zero-trust verification (validate secret access requests against expected patterns).
Why This Matters for Vibe-Coded Apps
Vibe-coded applications often have the worst secret management hygiene because the focus is on shipping features quickly. Common patterns include the same API key shared between development and production, secrets pasted directly into AI prompts (which may be logged by the AI service), hardcoded credentials that the AI placed in source files, and .env files committed to public GitHub repositories.
The minimum viable secret management for a vibe-coded app is: keep secrets in environment variables (not code), use different values for development and production, add .env to .gitignore before your first commit, and know how to rotate every secret you use. If you have done these four things, you are ahead of most vibe-coded applications.
Real-World Examples
Codecov Supply Chain Attack (2021)
Attackers modified Codecov's Bash Uploader script to exfiltrate environment variables (including secrets) from CI/CD pipelines. The compromised script sent secrets from thousands of organizations to an attacker-controlled server for two months before detection.
CircleCI Secret Exfiltration (2023)
A security incident at CircleCI required all customers to immediately rotate every secret stored in their CircleCI environments. The breach affected environment variables and contexts, demonstrating the risk of centralized secret storage in CI/CD platforms.
Twitch Source Code Leak (2021)
A massive leak of Twitch's source code included internal API keys, server configurations, and security tools. The leak underscored the importance of not relying on source code privacy as a security control and instead using proper secret management systems.
Frequently Asked Questions
When should I use a secret manager versus environment variables?
Environment variables are sufficient for small applications with a few secrets and a small team. Move to a dedicated secret manager when you need automated rotation, audit logging, fine-grained access control, or when multiple services share secrets. If a secret compromise would have severe consequences (database access, payment processing), the additional security of a vault is justified regardless of team size.
How often should I rotate secrets?
Rotate immediately after any suspected compromise or team member departure. For routine rotation, the frequency depends on the secret's sensitivity and your compliance requirements. Database passwords and API keys should be rotated at least quarterly. High-sensitivity secrets like encryption keys may warrant monthly rotation. Automated rotation through a secret manager makes frequent rotation practical without operational burden.
Are environment variables encrypted?
Not inherently. Environment variables are stored in plaintext in the process environment on most systems. They can be read by anyone with access to the process (via /proc on Linux or process inspection tools). Hosting platforms like Render and Vercel encrypt environment variables at rest in their storage, but they are decrypted when injected into your running application. For additional protection, use a secret manager that provides encrypted in-memory access.
How do I handle secrets in CI/CD pipelines?
Use your CI/CD platform's built-in secret storage (GitHub Actions secrets, CircleCI contexts, GitLab CI variables) rather than committing secrets to configuration files. Mark secrets as sensitive to prevent them from appearing in logs. Use OIDC tokens instead of long-lived credentials where supported. Scope secrets to specific branches or environments to limit exposure, and audit secret access regularly.
Is Your App Protected?
VAS automatically scans for vulnerabilities related to secret management and provides detailed remediation guidance. Our scanner targets issues common in AI-generated applications.
Scans from $5, results in minutes. Get actionable fixes tailored to your stack.
Get Starter Scan