secrets-management
Safeguard articles tagged "secrets-management" — guides, analysis, and best practices for software supply chain and application security.
90 articles
Kubernetes Secrets
Kubernetes Secrets are base64, not encrypted, by default. Here is how they actually leak, why scanners like Aqua fall short, and how to fix it.
How to secure Kubernetes secrets and sensitive data
Kubernetes secrets are base64, not encrypted, by default. Here's how they actually leak, where Prisma Cloud's CNAPP approach falls short, and how to fix rotation, RBAC, and encryption gaps.
What Are Hardcoded Credentials
Hardcoded credentials are secrets baked into code instead of a vault. Toyota, Uber, and Samsung breaches show why that risk never expires on its own.
What is Sensitive Data Exposure
Sensitive data exposure covers everything from unencrypted databases to hardcoded secrets. Learn what causes it, real breach examples, and how to detect it early.
How to Rotate Leaked CI Secrets Without Downtime
A leaked CI credential does not have to mean an outage. The dual-credential pattern: issue new alongside old, cut over, verify with usage logs, then revoke — plus what to do after.
OAuth vs API Keys
OAuth and API keys aren't interchangeable: one is a static, long-lived credential, the other a scoped, expiring token. Here's how to choose, backed by real breaches.
Secrets sprawl
What is secrets sprawl? A plain-English breakdown of how API keys and credentials scatter across codebases, and what to do about it.
How to set up HashiCorp Vault for secrets management
A step-by-step guide to set up HashiCorp Vault for secrets management, covering installation, dynamic secrets, Kubernetes integration, and verification steps.
How to encrypt Kubernetes secrets at rest
A step-by-step guide to encrypting Kubernetes secrets at rest: choosing a KMS provider, configuring etcd encryption, re-encrypting existing secrets, and verifying it worked.
The Codecov Supply Chain Attack Explained
A breakdown of the 2021 Codecov breach: how the Bash Uploader was compromised, what CI secrets were exposed, and the remediation steps teams need now.
What is Credential Rotation
Credential rotation limits how long a leaked API key, password, or token stays valid. Here's how it works, how often to do it, and why automation matters.
What is a CI/CD Secrets Leak
A CI/CD secrets leak exposes real credentials through build logs, forks, or compromised Actions. Here's how it happens and how to stop it.