Secrets Management Audit Checklist
An audit of the secret lifecycle, store, distribute, rotate, revoke, that starts with discovery and history scanning, enforces vault storage with per-workload least privilege, and pushes toward short-lived dynamic credentials over static long-lived ones.
When to Use This Checklist
Use this checklist when consolidating secrets onto a vault, after a credential leak, or as a periodic security audit. Secrets are among the highest-value targets in any system: a single leaked key can unlock data, infrastructure, or customer accounts. This audit verifies that secrets are stored, distributed, rotated, and revoked safely throughout their lifecycle.
How to Use This Checklist
Start with discovery, because you cannot protect secrets you do not know about. Inventory every type and location, then scan repositories and their history; secrets committed long ago remain valid until rotated. Move on to storage and access: secrets belong in a dedicated vault with least-privilege, per-workload access and full audit logging, never in code or images.
The most important maturity step is moving from static, long-lived secrets to short-lived, dynamically issued credentials or workload identity. Long-lived secrets are a standing liability; ephemeral credentials shrink the window of exposure dramatically.
What Good Looks Like
There is a complete inventory of secrets, and none are found in source control. Everything lives in a vault, encrypted at rest, with access scoped per workload and logged. Long-lived secrets rotate on a schedule, but the system is trending toward short-lived dynamic credentials that expire on their own. Secrets are injected at runtime rather than baked into artifacts, so an artifact leak does not leak credentials. A revocation path can kill a compromised secret in minutes, break-glass vault access is time-bound and logged, and the vault itself is recoverable without compromising its protection.
Common Pitfalls
The most common and damaging pitfall is secrets in Git history, which remain exploitable until rotated even after being deleted from the latest commit. Baking secrets into container images is another frequent mistake, coupling a secret's lifetime to the image's. Teams also rely on long-lived static credentials that are rarely rotated, so a single leak has indefinite blast radius. Finally, audit logs on secret access are often collected but never alerted on, so misuse goes unnoticed.
Related Resources
Build on secrets-management best practices, the principle of least privilege, and zero-trust architecture, where short-lived, identity-bound credentials replace standing secrets. Use the IaC security playbook to keep secrets out of infrastructure definitions.