← Back to all modules
🔐
⚙️ Security Engineers · Module 2

Secrets Management for Personal Projects

Stop leaking API keys in side projects — master .env hygiene, git-secrets, pre-commit hooks, and cloud secret managers for your personal infrastructure.

💀

The .env File Disaster

Every year, researchers scan GitHub and find millions of leaked secrets. In 2023, GitGuardian detected over 12.8 million new secret occurrences in public repositories. A significant portion come from individual developers' side projects—not enterprise code.

You'd never commit an AWS key in your day job. But at 1 AM, three hours into a hobby project, you hardcode a Stripe test key "just for now" and push. That key is in git history forever.

How Secrets Leak

The most common leak vectors for personal projects:

1. Direct Commit

# config.py — The cardinal sin
STRIPE_KEY = "sk_live_51H7bFkE2eZvKYlo2C..."
DATABASE_URL = "postgres://admin:P@ssw0rd123@db.example.com:5432/prod"
AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"

2. .env Files Without .gitignore

# .env — committed because .gitignore wasn't set up first
API_KEY=sk_live_51H7bFkE2eZvKYlo2C...
DATABASE_URL=postgres://admin:password@localhost:5432/myapp
JWT_SECRET=super-secret-jwt-key-2024

3. Configuration Files

# docker-compose.yml — often committed with real values
services:
  db:
    environment:
      POSTGRES_PASSWORD: production_password_123
  app:
    environment:
      SENDGRID_API_KEY: SG.xxxxx

4. Jupyter Notebooks

# Cell 3 of analysis.ipynb
import openai
openai.api_key = "sk-proj-abc123..."

Notebooks are particularly insidious because the output cells often contain API responses that reveal the key was valid.

5. Git History

Even if you delete the secret in a subsequent commit, it lives forever in git log:

# Find secrets in git history
git log -p --all -S 'sk_live' -- '*.py' '*.js' '*.env'
git log -p --all -S 'AKIA' -- .  # AWS access key prefix

The Cost of Leaked Secrets

What happens when your key leaks:

  1. Automated scrapers find it within minutes. Bots continuously scan GitHub events API for push events and search for patterns like AKIA, sk_live_, ghp_, etc.
  2. Financial damage: Leaked AWS keys have resulted in $50,000+ bills for cryptocurrency mining within hours.
  3. Account compromise: A leaked GitHub personal access token gives the attacker access to all your repositories, including private ones.
  4. Lateral movement: A leaked key to one service often leads to others. Your Sendgrid key might not seem critical—until the attacker uses it to send phishing emails from your domain.

The Rules

  1. Never put secrets in source code. No exceptions. Not even test keys (they often get replaced with production keys).
  2. Set up .gitignore FIRST — before writing any code.
  3. Use environment variables loaded from .env files that are gitignored.
  4. Install pre-commit hooks that block secret commits.
  5. Rotate immediately if you suspect any leak.

The rest of this module teaches you how to implement each of these rules with specific tools and workflows.

1 / 5

🛡️ CyberSafe — Online safety training for the whole family.