DEV Community

Cover image for Gitlfow Secrets Management
Neil
Neil

Posted on

Gitlfow Secrets Management

#github #devops #security #secrets

Opening

Someone had rotated the API keys manually — without telling anyone. The rotation got lost in Slack three days ago. Now we had 47 repositories with stale credentials, half our integration tests dead, and no way to fix them in bulk. Everythign is failing no code changes what is going on ?

That was the moment I realized our "secrets management" was actually just secrets chaos.

The Real Problem Nobody Talks About

Most engineering teams don't have a secrets management problem. They have a visibility problem.

Here's what actually happens:

  • Credentials rotate and half your teams don't know
  • New repos get created and old secrets get copy-pasted into them (because it's faster than figuring out the "right way")
  • Validation is manual — you hope each repo has the secrets it needs
  • Compliance audits come and you scramble for a log of who accessed what
  • Someone leaves and you have a 2-week hunt for every system their credentials are in
  • Rotation policies exist but nobody knows if they're actually running
  • S3 leaks, GitHub leaks, someone pastes a key in a PR and you only find out when a security tool flags it (if you have one)

I talked to engineering leads at different companies. Every single one had the same pattern:

  • Vault is too heavy for them, but no Vault means guessing
  • Everything falls to the on-call engineer to remember
  • Compliance teams ask for logs. On-call engineer shrugs

This isn't a technical problem. It's a visibility and automation problem.

What are the common things people try

  1. GitHub Secrets only — works until someone creates a repo and asks "where do I put the AWS key?"
  2. Vault — great, but DevOps was the only person who understood it, and it wasn't worth standing up for a 15-person team
  3. Encrypted ENV files in git — nope, someone always posts the decryption key in Slack
  4. "Just remember to rotate" — we didn't
  5. Fancy secrets manager dashboard — cost $X/month and nobody logged in

you need something GitHub-native, free or cheap, auditable, enforceable, and simple enough that a junior dev doesn't get stuck.

Why This Is Hard (The Technical Bit)

Secrets management sounds simple. Until you realize:

  • GitHub Actions runs on every repo independently — there's no single "rotate now" button
  • Permissions are weird — you need to authenticate and write and push, all from a workflow
  • Secrets get stale — no easy way to know which repos use which secrets
  • Audit logs need to happen — but GitHub's built-in logs aren't formatted for compliance
  • Validation needs to run on PRs — catching exposed credentials before they're merged
  • Rotation needs to be reliable — a failed rotation log is almost as bad as no rotation

This is why most teams just… don't do it.

I Built the gitflow-secrets-action-pack

It's a set of 5 GitHub Actions workflows that glued together do the job that are needed:

Validate & Detect Secrets

  • Runs on every PR and push, scans for common patterns (AWS_KEY, GitHub tokens, private keys, API keys, passwords)
  • Blocks merge if secrets found
  • Generates SARIF reports for GitHub's security dashboard
  • This stops the bleeding immediately

Vault Integration (or any external source)

  • Pulls secrets from Vault, AWS Secrets Manager, or HashiCorp Vault
  • Logs what was pulled, when, how many secrets
  • Uploads manifest to artifact storage for audit trail
  • Central source of truth

Rotate Secrets (on schedule or manual)

  • Rotates specific secret types (API keys, DB passwords, tokens)
  • Logs the rotation to your repo's .github/security/logs/
  • Optional Slack notification (you know what was rotated, when)
  • Commits the log to main so it's version-controlled
  • Scheduled, auditable, automatic

Sync Secrets Across Repos

  • Dry-run mode: see what would sync without doing it
  • Apply mode: push the same secret to 5, 10, 50 repos at once
  • Logs each repo touched
  • No more manual copy-paste

Audit & Compliance

  • Daily runs generate compliance report (secret age, access patterns, compliance scores)
  • Checks against SOC2/ISO27001/PCI-DSS frameworks
  • Uploads to S3 or GitHub artifacts
  • Creates GitHub issues if thresholds are breached
  • Compliance team gets their report. On-call is happy.

How to Use It

Copy the workflows into your repo:

That's it for the minimal setup. Run validate-secrets on your next PR.

For more: set your Vault credentials, enable Slack notifications, schedule rotations. All optional. The pack runs in "smoke test" mode if you don't configure them — so you can try it risk-free.

Is it perfect? No. Does it replace Vault? No. Does it solve 85% of the problem for £0 and 20 minutes of setup? Yes.

Try It

The pack is on Gumroad as free. If it saves you from a 2am credential hunt, free but tips are welcome.

Get it: (https://neilwave182.gumroad.com/l/uystyb)

Top comments (0)