Stats
Actions
Tags
From harness-claude
Enforces secret management best practices: never hardcode credentials, use environment variables or secret managers (AWS Secrets Manager, HashiCorp Vault), and validate startup configuration.
How this skill is triggered — by the user, by Claude, or both
Slash command
/harness-claude:owasp-secrets-managementThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
> Keep credentials out of code, logs, and version control by using environment variables, secrets managers, and strict access controls
Keep credentials out of code, logs, and version control by using environment variables, secrets managers, and strict access controls
// BAD — will end up in version control
const db = new Client({ password: 'super_secret_password' });
const stripe = new Stripe('sk_example_abc123xyz');
// GOOD — always from environment
const db = new Client({ password: process.env.DB_PASSWORD });
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);
Add a startup validation to catch missing secrets early:
// config/secrets.ts
const required = ['DB_PASSWORD', 'JWT_SECRET', 'STRIPE_SECRET_KEY', 'REDIS_URL'];
for (const key of required) {
if (!process.env[key]) {
throw new Error(`Missing required environment variable: ${key}`);
}
}
export const config = {
db: { password: process.env.DB_PASSWORD! },
jwt: { secret: process.env.JWT_SECRET! },
stripe: { secretKey: process.env.STRIPE_SECRET_KEY! },
} as const;
For production, fetch secrets from a managed service at startup:
import { SecretsManagerClient, GetSecretValueCommand } from '@aws-sdk/client-secrets-manager';
const client = new SecretsManagerClient({ region: 'us-east-1' });
async function getSecret(secretId: string): Promise<Record<string, string>> {
const response = await client.send(new GetSecretValueCommand({ SecretId: secretId }));
return JSON.parse(response.SecretString!);
}
// Bootstrap — called once at app startup
async function loadSecrets() {
const dbCreds = await getSecret('prod/myapp/database');
process.env.DB_PASSWORD = dbCreds.password;
process.env.DB_USERNAME = dbCreds.username;
const appSecrets = await getSecret('prod/myapp/app');
process.env.JWT_SECRET = appSecrets.jwt_secret;
}
import Vault from 'node-vault';
const vault = Vault({
endpoint: process.env.VAULT_ADDR,
token: process.env.VAULT_TOKEN, // Use AppRole in prod, not static token
});
async function getDbCredentials() {
// Dynamic secrets — Vault generates a new DB user per request
const result = await vault.read('database/creds/my-role');
return { username: result.data.username, password: result.data.password };
}
// Only load .env in non-production environments
if (process.env.NODE_ENV !== 'production') {
const { config } = await import('dotenv');
config(); // loads .env file
}
# .gitignore — ALWAYS ignore .env files containing real secrets
.env
.env.local
.env.production
*.env
# Commit only the template with no values
.env.example ← commit this
# .env.example — document required vars without values
DB_PASSWORD=
JWT_SECRET=
STRIPE_SECRET_KEY=
REDIS_URL=
// BAD — password appears in logs
logger.info('Connecting to database', { host, port, password });
// GOOD — redact sensitive fields
logger.info('Connecting to database', { host, port, password: '[REDACTED]' });
// Use a redaction library with pino
import pino from 'pino';
const logger = pino({
redact: {
paths: ['password', 'secret', 'token', 'apiKey', '*.password', '*.secret'],
censor: '[REDACTED]',
},
});
Secret rotation: Build services to reload secrets without restart. Use a secrets manager's automatic rotation feature. Store the secret ARN/path in env vars, not the secret value.
Scanning for leaked secrets: Add pre-commit hooks with git-secrets or trufflehog. Run gitleaks detect in CI to catch secrets in commit history.
Principle of least privilege for secrets access:
Environment hierarchy:
.env file (never commit real secrets)https://owasp.org/www-project-top-ten/
npx claudepluginhub intense-visions/harness-engineering --plugin harness-claudeGuides secure secrets management using Vault, AWS Secrets Manager, Azure Key Vault, environment variables, rotation, scanning tools, and CI/CD security. For implementing storage, rotation, leak prevention, credentials review.
Audits how secrets, credentials, and certificates are stored, rotated, and accessed. Detects hardcoded secrets and guides migration to centralized secret managers like Vault or AWS Secrets Manager.
Manage API keys, credentials, and secrets securely using vaults, environment variables, and rotation policies. Prevent secrets from being committed to code or exposed in logs.