From the course: Building Secure Software Supply Chains with Open-Source Tools
Join today to access over 24,900 courses taught by industry experts.
Best practices for secrets management
From the course: Building Secure Software Supply Chains with Open-Source Tools
Best practices for secrets management
- By now, you have seen how hardcode secrets can sneak into code, and how to detect them with tools like Gitleaks, but detection is just a safety net. The real goal is prevention. Let's walk through the best practices for managing secrets properly in your projects and pipelines. First, never hardcode secrets. This includes passwords, API tokens, database credentials, and anything else sensitive. Whether it is in code, a .ENV file, committed by mistake, or a debug config, if it's in plain text, it's at risk. Instead, please use environment variables. They allow you to separate secrets from code, keep production and development isolated, and inject values at one time. For even stronger control, use a secrets manager such as AWS Secrets Manager, HashiCorp Vault, Doppler, or 1Password CLI. These tools offer encryption, access policies, audit logs, and rotation feature, all designed to handle secret at scale. Next…
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
-
-
-
(Locked)
Why hardcoded secrets are a major risk2m 34s
-
(Locked)
Introduction to Gitleaks for secrets detection3m 11s
-
(Locked)
Configuring Gitleaks for effective scans2m 51s
-
(Locked)
Hands-on lab: Find hardcoded secrets in the juice shop codebase1m 11s
-
(Locked)
Best practices for secrets management2m 27s
-
(Locked)
-
-