secrets-management
Safeguard articles tagged "secrets-management" — guides, analysis, and best practices for software supply chain and application security.
90 articles
Java Secrets Management: Getting Credentials Out of Your Code
Hardcoded credentials are among the most common findings in Java codebases. Here's how to externalize, rotate, and protect secrets properly in 2026.
Secrets Management for Python Applications
Hard-coded API keys and .env files committed to git are still the fastest route into a Python app. Here is how to keep secrets out of your code and your history.
Secrets Vault Comparison Guide (2026)
A secrets manager is the difference between one rotation and a hundred. This guide compares HashiCorp Vault, AWS/Azure/GCP native stores, Doppler, and Infisical — and how to migrate off hardcoded secrets.
What agentic coding environments reveal about developer risk
Snyk analyzed nearly 10,000 real developer environments and found 43% run 2+ AI coding tools at once — with MCP servers and skills quietly widening the attack surface.
Docker Secrets Management: Stop Baking Credentials Into Images
A secret written into a Docker layer is recoverable forever, even after you delete it. Learn the build-time and runtime patterns that keep credentials out of your images entirely.
.NET Secrets Management: From User Secrets to Key Vault
How to keep connection strings, API keys, and certificates out of your .NET source and images, using the Secret Manager, environment configuration, managed identities, and a real vault.
Securing CI/CD Secrets: OIDC, Scanning, and Short-Lived Credentials
CI/CD secrets are the crown jewels attackers go after — the CircleCI breach forced every customer to rotate everything. This guide covers secret sprawl, scanning, OIDC federation, and killing long-lived credentials for good.
The Codecov Bash uploader breach
How a Docker image flaw let attackers tamper with Codecov's Bash Uploader for 65 days, exfiltrating CI secrets from HashiCorp, Twilio, and more.
Secrets Management in Node.js: From .env to Zero-Standing-Credentials
Hardcoded tokens and committed .env files are still the fastest way to lose a cloud account. Here is a maturity ladder for Node.js secrets — from native --env-file to managed vaults and short-lived OIDC credentials.
Secrets Scanning: Stop Leaking Credentials Before They Ship
A leaked API key in Git history is compromised the moment it is pushed — deleting the commit does not help. Here is how to build secrets scanning across your whole lifecycle, from pre-commit to Git history.
Kubernetes Secrets Management Done Right
A Kubernetes Secret is base64, not encryption — and by default it sits in etcd in plaintext. Here is how to actually protect credentials with encryption at rest, external secret stores, and tight RBAC.
The Best Secrets Management Tools in 2026
A balanced buyer's guide to secrets management in 2026 — comparing Vault, cloud-native services, Doppler, Infisical, and CyberArk on the criteria that actually matter, plus an honest note on where secret detection tools fit.