SOTA Secrets Management

Purpose

Eliminate static secrets where possible; where not possible, make every secret short-lived, narrowly scoped, runtime-injected, auditable, and rotatable without downtime. This skill covers the full lifecycle (generation → distribution → storage → use → rotation → revocation → expiry), storage backends, application handling patterns, leak detection, incident remediation, and per-credential-type rules. It serves two workflows: BUILD (write correct secrets handling into new or existing code) and AUDIT (sweep a repo for secret issues and report findings).

The hierarchy of preference, always:

1. No secret at all — workload identity / OIDC federation / cloud IAM roles.
2. Short-lived, auto-issued secret — Vault dynamic creds, STS tokens, SPIRE SVIDs.
3. Long-lived secret in a managed backend — secret manager + rotation + audit log.
4. Encrypted secret in the repo — SOPS+age / sealed-secrets, GitOps only.
5. Plaintext secret anywhere — never acceptable.