infra-secrets-management-review

What problem does it solve?

This Skill helps you eliminate insecure secret storage and access patterns across Vault, Kubernetes, Airflow, dbt, and CI/CD by turning ad-hoc practices into auditable, rotating, least-privilege workflows.

Core Features & Use Cases

• Vault KV v2 & policy auditing: Review static (KV v2) secret layout, versioning, and access policies for specific workloads like Airflow connections and service accounts.
• Dynamic credentials & lease renewal: Design short-lived database credentials and revocation flows using Vault dynamic database secrets.
• External Secrets Operator (ESO) integration: Sync Vault-backed secrets into Kubernetes Secrets safely via scheduled refresh instead of embedding plaintext secrets in manifests.
• Secret scanning and leak prevention: Set up pre-commit and CI secret scanning (gitleaks/truffleHog/Semgrep) to catch leaks in code and history.
• Rotation and anti-pattern detection: Create a practical checklist that targets common failure modes like static passwords, plaintext logs, and missing audit logs.

Quick Start

Ask the agent: "Review our current secrets management and propose a migration plan to Vault (KV v2 + dynamic credentials) with ESO for Kubernetes and secret scanning in CI."