Docs/Tools/Secrets
Security

secrets_manager.py

Scans your repository for 12 categories of secret pattern, interactively confirms each finding, routes them to the correct management strategy, and generates ESO manifests and audit checklists ready to commit.

What it does

Walks .env.example, docker-compose.yml, k8s/**/*.yaml, and helm/**/values.yaml matching 12 regex patterns. For each match it confirms interactively and then applies the appropriate management strategy from the decision tree below.

CLI Usage
bash
python3 tools/secrets_manager.py \
  --repo-path ./my-app \
  --service payment-api \
  --cloud aws \
  --output-dir ./my-app/secrets \
  --helm-dir ./my-app/helm

# Non-interactive (CI):
python3 tools/secrets_manager.py ... --non-interactive
Decision Tree
Cloud credential (AWS_*, AZURE_*, GCP_*)
IRSA / Workload Identity
Never use static access keys
Dynamic / rotatable secret
External Secrets Operator + cloud secrets manager
AWS Secrets Manager / Azure Key Vault / GCP Secret Manager
Static, changes rarely
Sealed Secrets
Encrypted in Git — safe to commit
Dev only
K8s native Secret
Acceptable in dev — do NOT use in prod
Output Files
external-secret.yamlESO ExternalSecret manifest — pulls from cloud secrets manager
secret-template.yamlNative K8s Secret template for dev-only use
github-secrets.mdChecklist of GitHub Actions secrets/variables to configure
secrets-checklist.mdHuman-readable audit checklist with management strategy per secret
Detected Pattern Types
  • Database connection URLs (postgres://, mysql://, mongodb://)
  • Cache URLs (redis://, rediss://)
  • AWS cloud credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
  • Azure credentials (AZURE_CLIENT_SECRET, AZURE_CLIENT_ID)
  • GCP credentials (GOOGLE_APPLICATION_CREDENTIALS, GCP_SA_KEY)
  • Generic API keys (API_KEY, APIKEY, _TOKEN patterns)
  • Application secrets (SECRET_KEY, APP_SECRET, JWT_SECRET)
  • Third-party OAuth tokens (GITHUB_TOKEN, SLACK_TOKEN, STRIPE_SECRET)
  • Database passwords (DB_PASSWORD, DATABASE_PASSWORD)
  • Private keys (BEGIN RSA PRIVATE KEY, BEGIN PRIVATE KEY)
  • Connection strings (.env: CONN_STRING, CONNECTION_STRING)
  • Webhook secrets (WEBHOOK_SECRET, SIGNING_SECRET)
Next step: Local Test →