# Secret Rotation Log

> **Rule**: Every secret found in git history must be rotated and logged here.  
> **Owner**: CTO / Security Lead  
> **Review**: Monthly

---

## Rotation Template

```
| Date       | Secret Type | Location Found | Old ID/Prefix | New Location | Rotated By | Verified |
|------------|------------|----------------|---------------|--------------|-----------|----------|
| YYYY-MM-DD | API Key    | git history    | sk_xxxx...   | AWS SM       | @user     | ✓        |
```

---

## Active Rotations

| Date | Secret Type | Location Found | Rotated By | Verified |
|------|-------------|----------------|-----------|----------|
| TBD  | (Run `gitleaks detect --source . --log-opts="--all"` to populate) | | | |

---

## Scan Commands

```bash
# Install tools
pip install gitleaks detect-secrets

# Full history scan
gitleaks detect --source . --log-opts="--all" --report-path /tmp/secret_scan.json

# Current staged files only
gitleaks protect --staged

# Alternative: trufflehog
pipx install trufflehog3
trufflehog3 . --format json --output /tmp/trufflehog_report.json
```

---

## Mandatory Actions After Scan

For every finding:
1. Rotate the credential in the source system (AWS, Stripe, OpenAI, etc.)
2. Update environment variables in production
3. Revoke the leaked credential
4. Add entry to this log
5. Add path/pattern to `.gitleaksignore` ONLY if it's a known false positive

---

## Secrets Management Hierarchy

| Environment | Manager |
|-------------|---------|
| Local dev | `.env` file (gitignored) + Doppler |
| Staging | Doppler or AWS Secrets Manager |
| Production | AWS Secrets Manager (me-south-1) |

## Escape Hatches (forbidden)

- ❌ Secrets in `.env.example`
- ❌ Secrets in docker-compose.yml (use Secrets reference)
- ❌ Secrets in code comments
- ❌ Secrets in test fixtures (use generated values)
- ❌ Secrets in Slack, email, or tickets