DocumentationAgent TemplatesSecret Hygiene Bot
Agent Templates

Secret Hygiene Bot

Secret rotation and vault integration

Secret Hygiene Bot

The Secret Hygiene Bot ensures proper secret management, monitors rotation schedules, and prevents credential leaks.

What It Does

  • Scans for secrets - Detects API keys, tokens, and credentials in code
  • Tracks rotation - Monitors when secrets were last rotated
  • Validates vault usage - Ensures proper secret manager integration
  • Detects env leaks - Finds secrets exposed in logs or configs
  • Creates rotation PRs - Automates secret rotation workflows

Secret Types Detected

| Type | Pattern | Risk | |------|---------|------| | AWS Keys | AKIA... | Critical | | GitHub Tokens | ghp_... | Critical | | API Keys | Various | High | | Private Keys | -----BEGIN | Critical | | Database URLs | postgresql://... | High | | JWT Secrets | Entropy-based | High |

Configuration

agents:
  - name: secret-hygiene
    template: secret-hygiene-bot
    triggers:
      pull_request:
        - opened
      schedule:
        - cron: "0 9 * * 1"  # Weekly audit
    config:
      # Secret manager integration
      secret_manager: aws-secrets-manager

      # Rotation policy (days)
      max_secret_age: 90

      # Block PRs with exposed secrets
      block_on_detection: true

      # Custom patterns to detect
      custom_patterns:
        - name: "Internal API Key"
          pattern: "int_[a-zA-Z0-9]{32}"

Rotation Workflow

When secrets approach their rotation deadline:

  1. Agent creates an issue with rotation instructions
  2. After new secret is provisioned, agent verifies it works
  3. Agent creates PR updating secret references
  4. Old secret is scheduled for revocation
Previous
Migration Sherpa Agent
Next
Localization Steward Agent
BambooSnow - AI Agent Automation Platform