Skill Wiki
Store Secrets In Vault
Database passwords, API keys, signing keys, OAuth client secrets, and TLS private keys must be retrieved at runtime from a managed secrets store (HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,…
$ prime install @security/rule-store-secrets-in-vaultProjection
Always in _index.xml · the agent never has to ask for this.
StoreSecretsInVault [rule] v0.1.0
Database passwords, API keys, signing keys, OAuth client secrets, and TLS private keys must be retrieved at runtime from a managed secrets store (HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, sealed-secrets, doppler). Source repositories, Docker images, and CI pipeline definitions must not contain plaintext secrets.
Loaded when retrieval picks the atom as adjacent / supporting.
StoreSecretsInVault [rule] v0.1.0
Database passwords, API keys, signing keys, OAuth client secrets, and TLS private keys must be retrieved at runtime from a managed secrets store (HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, sealed-secrets, doppler). Source repositories, Docker images, and CI pipeline definitions must not contain plaintext secrets.
Checks
- Pre-commit hook + CI scan (gitleaks, trufflehog, GitHub secret scanning) blocks commits containing high-entropy strings or known secret formats.
- Application reads secrets at startup from a secrets manager via short-lived IAM credentials, not from environment variables baked into the image.
- Secrets are rotated on a schedule (90 days for human-managed; automatic for machine credentials where supported).
- Access to the secrets store is logged and reviewed; audit trail covers who accessed which secret when.
- Local development uses a
.env.examplewith placeholder values and a developer-specific local override that is.gitignored — never commit real secrets even temporarily.
Label
Secrets live in a managed secrets store, never in code or config repos
Loaded when retrieval picks the atom as a focal / direct hit.
StoreSecretsInVault [rule] v0.1.0
Database passwords, API keys, signing keys, OAuth client secrets, and TLS private keys must be retrieved at runtime from a managed secrets store (HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, sealed-secrets, doppler). Source repositories, Docker images, and CI pipeline definitions must not contain plaintext secrets.
Checks
- Pre-commit hook + CI scan (gitleaks, trufflehog, GitHub secret scanning) blocks commits containing high-entropy strings or known secret formats.
- Application reads secrets at startup from a secrets manager via short-lived IAM credentials, not from environment variables baked into the image.
- Secrets are rotated on a schedule (90 days for human-managed; automatic for machine credentials where supported).
- Access to the secrets store is logged and reviewed; audit trail covers who accessed which secret when.
- Local development uses a
.env.examplewith placeholder values and a developer-specific local override that is.gitignored — never commit real secrets even temporarily.
Label
Secrets live in a managed secrets store, never in code or config repos
Label
Secrets live in a managed secrets store, never in code or config repos
Source
prime-system/examples/security-appsec/primes/compiled/@security/rule-store-secrets-in-vault/atom.yaml