Secrets Management

Software development skill, available on Zeplik

Secrets Management is a ready-to-run software development skill on Zeplik. Not for user login/auth flows (use auth-implementation-patterns). Ask in plain language and Zeplik applies the skill's method for you inside the conversation, on whichever AI model you prefer.

The Secrets Management skill loads automatically when your request matches it, or you can invoke it directly by typing /secrets-management in any chat. It works with attachments, connectors, and any model that supports the task, so you get the same expert method every time without setting anything up.

What the Secrets Management skill can do

Try these prompts on Zeplik

Pick a prompt to open it in the Zeplik app. If you are not signed in yet, your prompt is waiting for you the moment you do.

How the Secrets Management skill works

/secrets-management

Implement secure secrets management in CI/CD pipelines and infrastructure without hardcoding sensitive information. The user pastes workflow files, Terraform, or describes their stack; deliver ready-to-use pipeline snippets, rotation plans, and remediation steps as chat artifacts. Never ask the user to paste actual secret values; work with placeholders. For application-level login and session handling, use auth-implementation-patterns.

When to Use

  • Store API keys and credentials for pipelines
  • Manage database passwords
  • Handle TLS certificates
  • Rotate secrets automatically
  • Implement least-privilege access
  • Respond to a leaked or committed secret

Secrets Management Tools

HashiCorp Vault: centralized secrets, dynamic secrets generation, rotation, audit logging, fine-grained access control. AWS Secrets Manager: AWS-native, automatic rotation, RDS integration, CloudFormation support. Azure Key Vault: Azure-native, HSM-backed keys, certificate management, RBAC integration. Google Secret Manager: GCP-native, versioning, IAM integration.

HashiCorp Vault Integration

Setup Vault

# Start Vault dev server
vault server -dev

# Set environment
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='root'

# Enable secrets engine
vault secrets enable -path=secret kv-v2

# Store secret
vault kv put secret/database/config username=admin password=secret

GitHub Actions with Vault

name: Deploy with Vault Secrets

on: [push]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Import Secrets from Vault
        uses: hashicorp/vault-action@v2
        with:
          url: https://vault.example.com:8200
          token: ${{ secrets.VAULT_TOKEN }}
          secrets: |
            secret/data/database username | DB_USERNAME ;
            secret/data/database password | DB_PASSWORD ;
            secret/data/api key | API_KEY

      - name: Use secrets
        run: |
          echo "Connecting to database as $DB_USERNAME"
          # Use $DB_PASSWORD, $API_KEY

GitLab CI with Vault

deploy:
  image: vault:1.17
  before_script:
    - export VAULT_ADDR=https://vault.example.com:8200
    - export VAULT_TOKEN=$VAULT_TOKEN
    - apk add curl jq
  script:
    - |
      DB_PASSWORD=$(vault kv get -field=password secret/database/config)
      API_KEY=$(vault kv get -field=key secret/api/credentials)
      echo "Deploying with secrets..."
      # Use $DB_PASSWORD, $API_KEY

AWS Secrets Manager

Store Secret

aws secretsmanager create-secret \
  --name production/database/password \
  --secret-string "super-secret-password"

Retrieve in GitHub Actions

- name: Configure AWS credentials
  uses: aws-actions/configure-aws-credentials@v4
  with:
    aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
    aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    aws-region: us-west-2

- name: Get secret from AWS
  run: |
    SECRET=$(aws secretsmanager get-secret-value \
      --secret-id production/database/password \
      --query SecretString \
      --output text)
    echo "::add-mask::$SECRET"
    echo "DB_PASSWORD=$SECRET" >> $GITHUB_ENV

Terraform with AWS Secrets Manager

data "aws_secretsmanager_secret_version" "db_password" {
  secret_id = "production/database/password"
}

resource "aws_db_instance" "main" {
  allocated_storage    = 100
  engine              = "postgres"
  instance_class      = "db.t3.large"
  username            = "admin"
  password            = jsondecode(data.aws_secretsmanager_secret_version.db_password.secret_string)["password"]
}

GitHub and GitLab Native Secrets

# GitHub: repository or environment secrets injected as env vars
deploy:
  runs-on: ubuntu-latest
  environment: production
  steps:
    - name: Deploy
      env:
        PROD_API_KEY: ${{ secrets.PROD_API_KEY }}
      run: |
        # Secret injected as env var -- never print it to logs
        ./deploy.sh

GitLab CI/CD variables: mark as Protected (protected branches only) and Masked (hidden in job logs); use File type for certs and kubeconfigs.

Best Practices

  1. Never commit secrets to Git
  2. Use different secrets per environment
  3. Rotate secrets regularly
  4. Implement least-privilege access
  5. Enable audit logging
  6. Use secret scanning (GitGuardian, TruffleHog)
  7. Mask secrets in logs
  8. Encrypt secrets at rest
  9. Use short-lived tokens when possible
  10. Document secret requirements

Secret Rotation

Automated Rotation with AWS

import boto3
import json

def lambda_handler(event, context):
    client = boto3.client('secretsmanager')

    # Get current secret
    response = client.get_secret_value(SecretId='my-secret')
    current_secret = json.loads(response['SecretString'])

    # Generate new password
    new_password = generate_strong_password()

    # Update database password
    update_database_password(new_password)

    # Update secret
    client.put_secret_value(
        SecretId='my-secret',
        SecretString=json.dumps({
            'username': current_secret['username'],
            'password': new_password
        })
    )

    return {'statusCode': 200}

Manual Rotation Process

  1. Generate new secret
  2. Update secret in secret store
  3. Update applications to use new secret
  4. Verify functionality
  5. Revoke old secret

External Secrets Operator (Kubernetes)

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: vault-backend
  namespace: production
spec:
  provider:
    vault:
      server: "https://vault.example.com:8200"
      path: "secret"
      version: "v2"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "production"

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: database-credentials
  namespace: production
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
    kind: SecretStore
  target:
    name: database-credentials
    creationPolicy: Owner
  data:
    - secretKey: username
      remoteRef:
        key: database/config
        property: username
    - secretKey: password
      remoteRef:
        key: database/config
        property: password

Secret Scanning

#!/bin/bash
# .git/hooks/pre-commit

# Check for secrets with TruffleHog
docker run --rm -v "$(pwd):/repo" \
  trufflesecurity/trufflehog:3.88 \
  filesystem --directory=/repo

if [ $? -ne 0 ]; then
  echo "Secret detected! Commit blocked."
  exit 1
fi
# CI/CD secret scanning stage
secret-scan:
  stage: security
  image: trufflesecurity/trufflehog:3.88
  script:
    - trufflehog filesystem .
  allow_failure: false

If a secret was already committed: rotate it immediately (assume compromised), then scrub history only if required by policy; rotation is the real fix.

Usage

/secrets-management $ARGUMENTS

How to use the Secrets Management skill

  1. Sign in to Zeplik

    Create a free Zeplik account or sign in. New accounts start with free credits, so you can try the Secrets Management skill right away.

  2. Describe your software development task

    Ask in plain language, or type /secrets-management to invoke the skill directly. Zeplik recognizes the Secrets Management skill and applies its method.

  3. Review and refine the result

    Zeplik returns a clear, structured answer. Ask follow-ups in the same chat to refine it or take the next step.

Source and credit

Author
wshobson
License
MIT

Adapted from the open-source wshobson/agents project and tuned to run natively on Zeplik. View source on GitHub.

Frequently asked questions

What is the Secrets Management skill?
Secrets Management is a ready-to-run software development skill on Zeplik. Not for user login/auth flows (use auth-implementation-patterns). Ask in plain language and Zeplik applies the skill's method for you inside the conversation, on whichever AI model you prefer.
How do I use Secrets Management on Zeplik?
Sign in to Zeplik and ask in plain language, or type /secrets-management in any chat to invoke it directly. The skill applies its method and returns a result you can refine in the same conversation.
Which AI model does the Secrets Management skill use?
Any model you choose. Zeplik works across every model in one chat, so the Secrets Management skill runs on your preferred model for the task.
Where does the Secrets Management skill come from?
The Secrets Management skill is adapted from the open-source wshobson/agents project (MIT) and tuned to run natively on Zeplik. The original source is linked on this page.
How much does the Secrets Management skill cost?
Using the skill is free to start. You only spend Zeplik credits when the assistant runs, and new accounts begin with free credits.

Related software development skills

More on Zeplik

Try Secrets Management on Zeplik

Every model, one chat. Bring the Secrets Management skill into your next conversation and let the assistant do the work.

Browse all skills
Secrets Management - Software development skill for Zeplik AI | Zeplik Chat