Secrets Management
Software development skill, available on Zeplik
Secrets Management is a ready-to-run software development skill on Zeplik. Not for user login/auth flows (use auth-implementation-patterns). Ask in plain language and Zeplik applies the skill's method for you inside the conversation, on whichever AI model you prefer.
The Secrets Management skill loads automatically when your request matches it, or you can invoke it directly by typing /secrets-management in any chat. It works with attachments, connectors, and any model that supports the task, so you get the same expert method every time without setting anything up.
What the Secrets Management skill can do
- Generate Vault, AWS, Azure and GCP secrets integration snippets
- Build CI/CD pipeline steps for GitHub Actions and GitLab CI secrets injection
- Design automated and manual secret rotation plans
- Produce remediation steps for leaked or committed secrets
Try these prompts on Zeplik
Pick a prompt to open it in the Zeplik app. If you are not signed in yet, your prompt is waiting for you the moment you do.
How the Secrets Management skill works
/secrets-management
Implement secure secrets management in CI/CD pipelines and infrastructure without hardcoding sensitive information. The user pastes workflow files, Terraform, or describes their stack; deliver ready-to-use pipeline snippets, rotation plans, and remediation steps as chat artifacts. Never ask the user to paste actual secret values; work with placeholders. For application-level login and session handling, use auth-implementation-patterns.
When to Use
- Store API keys and credentials for pipelines
- Manage database passwords
- Handle TLS certificates
- Rotate secrets automatically
- Implement least-privilege access
- Respond to a leaked or committed secret
Secrets Management Tools
HashiCorp Vault: centralized secrets, dynamic secrets generation, rotation, audit logging, fine-grained access control. AWS Secrets Manager: AWS-native, automatic rotation, RDS integration, CloudFormation support. Azure Key Vault: Azure-native, HSM-backed keys, certificate management, RBAC integration. Google Secret Manager: GCP-native, versioning, IAM integration.
HashiCorp Vault Integration
Setup Vault
# Start Vault dev server
vault server -dev
# Set environment
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='root'
# Enable secrets engine
vault secrets enable -path=secret kv-v2
# Store secret
vault kv put secret/database/config username=admin password=secret
GitHub Actions with Vault
name: Deploy with Vault Secrets
on: [push]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Import Secrets from Vault
uses: hashicorp/vault-action@v2
with:
url: https://vault.example.com:8200
token: ${{ secrets.VAULT_TOKEN }}
secrets: |
secret/data/database username | DB_USERNAME ;
secret/data/database password | DB_PASSWORD ;
secret/data/api key | API_KEY
- name: Use secrets
run: |
echo "Connecting to database as $DB_USERNAME"
# Use $DB_PASSWORD, $API_KEY
GitLab CI with Vault
deploy:
image: vault:1.17
before_script:
- export VAULT_ADDR=https://vault.example.com:8200
- export VAULT_TOKEN=$VAULT_TOKEN
- apk add curl jq
script:
- |
DB_PASSWORD=$(vault kv get -field=password secret/database/config)
API_KEY=$(vault kv get -field=key secret/api/credentials)
echo "Deploying with secrets..."
# Use $DB_PASSWORD, $API_KEY
AWS Secrets Manager
Store Secret
aws secretsmanager create-secret \
--name production/database/password \
--secret-string "super-secret-password"
Retrieve in GitHub Actions
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-2
- name: Get secret from AWS
run: |
SECRET=$(aws secretsmanager get-secret-value \
--secret-id production/database/password \
--query SecretString \
--output text)
echo "::add-mask::$SECRET"
echo "DB_PASSWORD=$SECRET" >> $GITHUB_ENV
Terraform with AWS Secrets Manager
data "aws_secretsmanager_secret_version" "db_password" {
secret_id = "production/database/password"
}
resource "aws_db_instance" "main" {
allocated_storage = 100
engine = "postgres"
instance_class = "db.t3.large"
username = "admin"
password = jsondecode(data.aws_secretsmanager_secret_version.db_password.secret_string)["password"]
}
GitHub and GitLab Native Secrets
# GitHub: repository or environment secrets injected as env vars
deploy:
runs-on: ubuntu-latest
environment: production
steps:
- name: Deploy
env:
PROD_API_KEY: ${{ secrets.PROD_API_KEY }}
run: |
# Secret injected as env var -- never print it to logs
./deploy.sh
GitLab CI/CD variables: mark as Protected (protected branches only) and Masked (hidden in job logs); use File type for certs and kubeconfigs.
Best Practices
- Never commit secrets to Git
- Use different secrets per environment
- Rotate secrets regularly
- Implement least-privilege access
- Enable audit logging
- Use secret scanning (GitGuardian, TruffleHog)
- Mask secrets in logs
- Encrypt secrets at rest
- Use short-lived tokens when possible
- Document secret requirements
Secret Rotation
Automated Rotation with AWS
import boto3
import json
def lambda_handler(event, context):
client = boto3.client('secretsmanager')
# Get current secret
response = client.get_secret_value(SecretId='my-secret')
current_secret = json.loads(response['SecretString'])
# Generate new password
new_password = generate_strong_password()
# Update database password
update_database_password(new_password)
# Update secret
client.put_secret_value(
SecretId='my-secret',
SecretString=json.dumps({
'username': current_secret['username'],
'password': new_password
})
)
return {'statusCode': 200}
Manual Rotation Process
- Generate new secret
- Update secret in secret store
- Update applications to use new secret
- Verify functionality
- Revoke old secret
External Secrets Operator (Kubernetes)
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: vault-backend
namespace: production
spec:
provider:
vault:
server: "https://vault.example.com:8200"
path: "secret"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "production"
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: database-credentials
namespace: production
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: SecretStore
target:
name: database-credentials
creationPolicy: Owner
data:
- secretKey: username
remoteRef:
key: database/config
property: username
- secretKey: password
remoteRef:
key: database/config
property: password
Secret Scanning
#!/bin/bash
# .git/hooks/pre-commit
# Check for secrets with TruffleHog
docker run --rm -v "$(pwd):/repo" \
trufflesecurity/trufflehog:3.88 \
filesystem --directory=/repo
if [ $? -ne 0 ]; then
echo "Secret detected! Commit blocked."
exit 1
fi
# CI/CD secret scanning stage
secret-scan:
stage: security
image: trufflesecurity/trufflehog:3.88
script:
- trufflehog filesystem .
allow_failure: false
If a secret was already committed: rotate it immediately (assume compromised), then scrub history only if required by policy; rotation is the real fix.
Usage
/secrets-management $ARGUMENTS
How to use the Secrets Management skill
Sign in to Zeplik
Create a free Zeplik account or sign in. New accounts start with free credits, so you can try the Secrets Management skill right away.
Describe your software development task
Ask in plain language, or type /secrets-management to invoke the skill directly. Zeplik recognizes the Secrets Management skill and applies its method.
Review and refine the result
Zeplik returns a clear, structured answer. Ask follow-ups in the same chat to refine it or take the next step.
Source and credit
- Author
- wshobson
- License
- MIT
Adapted from the open-source wshobson/agents project and tuned to run natively on Zeplik. View source on GitHub.
Frequently asked questions
- What is the Secrets Management skill?
- Secrets Management is a ready-to-run software development skill on Zeplik. Not for user login/auth flows (use auth-implementation-patterns). Ask in plain language and Zeplik applies the skill's method for you inside the conversation, on whichever AI model you prefer.
- How do I use Secrets Management on Zeplik?
- Sign in to Zeplik and ask in plain language, or type /secrets-management in any chat to invoke it directly. The skill applies its method and returns a result you can refine in the same conversation.
- Which AI model does the Secrets Management skill use?
- Any model you choose. Zeplik works across every model in one chat, so the Secrets Management skill runs on your preferred model for the task.
- Where does the Secrets Management skill come from?
- The Secrets Management skill is adapted from the open-source wshobson/agents project (MIT) and tuned to run natively on Zeplik. The original source is linked on this page.
- How much does the Secrets Management skill cost?
- Using the skill is free to start. You only spend Zeplik credits when the assistant runs, and new accounts begin with free credits.
Related software development skills
- .NET BackendBuild ASP.NET Core 8+ backends with EF Core: auth, background jobs, production API patterns
- Advanced Git WorkflowsUse for advanced Git surgery: interactive rebase, cherry-pick, bisect, reflog recovery, and history cleanup before merging. Not for parallel worktree workflows (use using-git-worktrees).
- Adversarial Code ReviewHunt for bugs in code the user shares by assuming defects exist and attacking the code through several distinct lenses, then report severity-ranked findings with evidence. Use for "review this", "what could go wrong", "bug hunt", or pre-merge scrutiny of a change. Read-only, it reports problems and does not rewrite the code. Not for style cleanup (use simplify-code) or for writing new code.
- AI Agent FrameworksUse when building multi-agent systems or agent orchestration -- LangChain/LangGraph, agent team design, task coordination, pipelines. Not for authoring a Zeplik skill (use skill-creator).
- Algolia SearchAdd Algolia search: indexing strategies, React InstantSearch, relevance tuning, search-as-you-type
- Android CI/CDAutomate Android CI/CD to Google Play: keystore, GitHub Secrets, multi-stage release workflow for RN, Flutter, native
More on Zeplik
Try Secrets Management on Zeplik
Every model, one chat. Bring the Secrets Management skill into your next conversation and let the assistant do the work.