CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Secrets Management

security Intermediate

Also Known As

secrets credentials management Vault AWS Secrets Manager

TL;DR

Storing, distributing, and rotating credentials securely — using dedicated tools rather than .env files in version control or hardcoded values in source code.

Explanation

Secrets (API keys, database passwords, certificates) must never appear in source code, logs, or version control. Tiers: environment variables injected at runtime (basic, sufficient for many apps), secrets managers (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager — audit trails, rotation, fine-grained access), and hardware security modules (HSMs — for cryptographic key material). PHP apps typically read secrets from environment variables injected by the orchestration layer, never from committed .env files.

Common Misconception

.env files are secure because they are in .gitignore — .gitignore prevents future commits but does not remove secrets already committed; the history is permanent unless rewritten.

Why It Matters

Leaked secrets in git history are the most common cause of cloud account compromises — GitHub scans public repos for credentials and notifies providers, but private leaks require your own monitoring.

Common Mistakes

  • Committing .env to version control even once — git history is permanent; rotate any secret ever committed.
  • Logging request parameters or headers that may contain tokens — secrets leak into log aggregators.
  • Same secrets across environments — a dev credential breach should not unlock production.
  • Not rotating secrets after team member departure — former employees retain access to any secret they knew.

Code Examples

✗ Vulnerable 
# .env committed to git:
DB_PASSWORD=supersecret123
STRIPE_KEY=sk_live_abc123
APP_KEY=base64:xyz...

# Even with .gitignore added later:
git log --all --full-history -- .env
# Shows every historical version — credentials exposed forever
✓ Fixed 
# Runtime injection — secret never in code:
# docker-compose.yml:
services:
  app:
    environment:
      DB_PASSWORD: ${DB_PASSWORD}  # Injected from host env or secrets manager

# PHP reads from environment:
$dsn = 'mysql:host=' . getenv('DB_HOST');
$pdo = new PDO($dsn, getenv('DB_USER'), getenv('DB_PASSWORD'));

# AWS Secrets Manager (for rotation support):
$secret = json_decode($secretsManager->getSecretValue(['SecretId' => 'prod/db'])['SecretString'], true);
Added 15 Mar 2026
Edited 22 Mar 2026
Views 25

Curated in Warsaw under one editorial standard. 1,445 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings F 3 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 1 ping T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S
Agents 0
No pings yet today
Perplexity 9 Amazonbot 7 Google 3 Ahrefs 2 Unknown AI 2
Also referenced
.env Files & Environment Variables 93 Hardcoded Credentials 33 API Key Exposure 27 Secret Rotation 23
How they use it
crawler 20 crawler_json 2 pre-tracking 1
Related categories
php 6.7k security 4.2k devops 1.1k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: High
⚡ Quick Fix
Use AWS Secrets Manager, HashiCorp Vault, or Doppler for production secrets — read them at startup into environment variables; never put real secrets in .env files committed to git
📦 Applies To
any web cli
🔗 Prerequisites
🔍 Detection Hints
Real credentials in .env committed to git; secrets in docker-compose.yml; hardcoded API keys in config files; no secrets rotation mechanism
Auto-detectable: ✓ Yes trufflehog gitleaks aws-secrets-manager vault
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✗ Manual fix Fix: High Context: File
CWE-798 CWE-312
✓ schema.org compliant