Secrets management: climb the maturity ladder

Take a small service with a hardcoded database (and/or third-party) credential committed to git and bring it to a managed, scanned, least-privilege, short-lived-secret setup — treating the existing commit as a real leak and proving each rung of the ladder with evidence.

• Start from a service (your own or a starter) with a real-looking credential committed to its git history. Demonstrate the leak: show the value with git log -p and confirm a scanner flags it.
• Remediate as a breach: rotate the credential at its source (a throwaway DB user or test API key), record what the audit/log shows, then rewrite history with git filter-repo to scrub the blob — and write one sentence on why rotation, not the rewrite, is what ended the exposure.
• Move the secret out of code into a .env kept out of git, then into a secret manager (Vault dev mode, AWS Secrets Manager, or SOPS). The app must read it at runtime from the manager, not from a file in the repo.
• Configure access control and capture the audit trail: define a policy so only the app's identity may read the secret, then show a log entry recording exactly who read it and when.
• Add a pre-commit secret scanner (gitleaks or trufflehog) and a CI scan over full history; prove it blocks a deliberately re-introduced test secret before it can be pushed.
• Apply least privilege: give the app a credential scoped to only what it needs (e.g. read-only where writes are not required) and show that an out-of-scope operation is denied.
• Reach the top rung: issue a dynamic, short-lived credential (Vault database engine or equivalent) with a TTL, have the app fetch and renew it, and demonstrate the credential stops working after the TTL expires.

• A before/after of the leak: the secret visible in git history at the start, and absent from history with the credential rotated (the old value provably rejected) at the end.
• The app authenticates using a secret pulled from the manager at runtime, with an audit-log entry shown naming the reader — no secret in the repo, the image, or a tracked file.
• The scanner blocks a re-introduced test secret at commit time (paste the hook output) and the CI scan passes on the cleaned history.
• A dynamic credential demonstrably expires: a captured session that works inside the TTL and is rejected after it, plus one paragraph mapping each step to its rung on the maturity ladder and why it ranked where it did.