MITDevOps Security

Secrets Management For CI/CD

Name: Secrets Management For CI/CD
Author: wshobson

By wshobson· wshobson/agents· 0

Wires Vault, AWS/Azure/GCP secret stores, and rotation into CI/CD pipelines.

Installation

1
Make sure Claude is on your device and in your terminal.
Skills load from ~/.claude/skills/ when Claude Code starts up — so you need it on your machine first. If you don't have it yet, install it once with the command below, then run claude in any terminal to verify.
One-time setup
```
npm i -g @anthropic-ai/claude-code
```
Already have it? Skip ahead.

Paste into Claude Code or into your terminal.

Install

git clone ht•••••••••••••••••••••••••••••••••••• ••••••••••••••••••••• •• ••••• •• •••••••••••••••••••••••••••••••••••••••••••• •• •• •• ••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••• •••••••••••••••••••••••••••••••••••••••••••••

This copies the whole skill folder into ~/.claude/skills/secrets-management-wshobson/ — the SKILL.md plus any scripts, reference docs, or templates the skill ships with. Safe default: works for every skill.

Faster alternative (instruction-only skills)

Skips the clone and grabs only the SKILL.md file. Don't use this if the skill ships Python scripts, reference markdowns, or asset templates — they won't be downloaded and the skill will fail when it tries to load them.

Quick install (SKILL.md only)

mkdir -p ~/.••••••••••••••••••••••••••••••••••••••••• •• •••• ••••• ••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••• •• •••••••••••••••••••••••••••••••••••••••••••••••••••••

Restart Claude Code.
Quit and reopen Claude Code (or any other agent that loads from ~/.claude/skills/). New skills are picked up on startup.
Just ask Claude.
Skills auto-activate when your request matches the skill's description — no slash command needed. Trigger phrases live in the skill's own frontmatter; you can read them in the “What this skill does” section above.

Prefer to read the source first? Open on GitHub.

When Claude uses it

Teaches Claude to inject and rotate credentials in CI/CD pipelines without hardcoding them, with working snippets for HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, and Google Secret Manager. Covers GitHub Actions and GitLab CI integration, Terraform secret lookups, the Kubernetes External Secrets Operator, and automated rotation via Lambda. Reach for it when storing API keys or database passwords, masking secrets in job logs, or adding pre-commit and CI secret scanning with TruffleHog.

What this skill does

What it does: Gives Claude reference patterns for securing credentials across CI/CD pipelines and secret stores, with copy-ready config for each major platform.

Vault integration: dev-server setup, KV v2 engine, plus hashicorp/vault-action for GitHub Actions and vault kv get for GitLab CI
AWS Secrets Manager flows: create/retrieve secrets, mask them with ::add-mask::, and resolve them in Terraform aws_db_instance
GitHub and GitLab secret handling: org/repo/environment secrets, protected and masked variables, log-masking guidance
Automated and manual secret rotation, including an AWS Lambda rotation handler and the Kubernetes External Secrets Operator (SecretStore/ExternalSecret)
Secret scanning as a pre-commit hook and CI stage with TruffleHog, plus a 10-point best-practices checklist (least privilege, short-lived tokens, audit logging)

Related skills

n8n Architect

EtienneLescot

Create, edit, and validate n8n workflows and automation configurations.

Deploy to Vercel

vercel-labs

Deploy your app to Vercel with preview or production environments.

Vercel CLI with Tokens

vercel-labs

Deploy and manage Vercel projects using token-based authentication instead of interactive login.

Understand Diff

Egonex-AI

Analyze git diffs and pull requests to understand changes, affected components, and risks.