Confidential Document

This document is restricted to RRI leadership.

Incorrect password
DERISK — Remove What Can Kill You
D3

Secrets Audit & Credential Rotation

IN PROGRESS Wave 0 · 2 days

Executive Summary

Six repos have committed secrets in git history. The Members Portal .env contents are unknown until git history is inspected — they could contain production database credentials. The rri-stress-test repo contains Cognito client IDs that compound with D4’s auth vulnerability.

The approach is two-layered: rotate FIRST, purge SECOND. Rotation closes the attack vector immediately. Purging git history closes the audit trail. Never purge without rotating — the old credentials still work until rotated.

Two scanning tools provide defense in depth: TruffleHog (free, 800+ detectors, CI integration) runs in CI/CD and as pre-commit hooks. GitHub Secret Protection ($19/committer/month) adds push-time blocking at the platform level.

What Needs to Happen

  1. Rotate Cognito client IDs from rri-stress-test — BEFORE UPW March 12 (Phase 0). These credentials compound with D4’s auth hardening.
  2. Run TruffleHog --only-verified scan — Across all 6 affected repos. Produces inventory of live, verified credentials. Week 1.
  3. Inventory all discovered credentials — Classify by severity: production database, API keys, service accounts, test credentials. Week 1.
  4. Rotate all production credentials in priority order — Database credentials first, then API keys, then service accounts. Weeks 1-2.
  5. Purge git history with git-filter-repo — Git project’s recommended tool (not BFG). Force-push cleaned history. Week 2.
  6. Enable GitHub Secret Protection push blocking — $19/committer/month. Prevents any future secret commits at push time. Week 2.
  7. Install TruffleHog pre-commit hooks globally — Deployed to all 5 engineers’ machines. Defense before code even reaches GitHub. Week 2.

Claude Code acceleration: Scanning scripts, rotation automation, and pre-commit hook configuration are all highly automatable. Claude Code can generate TruffleHog CI configs, write rotation scripts, and produce git-filter-repo commands. Estimated savings: 1 week from the original 2-week timeline.

Completion Criteria

  • Cognito client IDs from rri-stress-test rotated before UPW March 12
  • TruffleHog scan completed across all 6 affected repos with zero verified secrets in HEAD
  • All production credentials rotated and verified working with new values
  • Git history purged with git-filter-repo on all affected repos
  • GitHub Secret Protection enabled — push blocking active
  • TruffleHog pre-commit hooks installed on all 5 engineers’ machines
  • TruffleHog CI gate integrated into D7’s CI/CD pipeline, blocking all future secret commits

Initiative Attributes

D3 — Secrets Audit & Credential Rotation
Cost
$9,780/year ($7,500 people time + $2,280/year GitHub Secret Protection)
Timeline (Original)
2 days
Timeline (With Claude Code)
2 days
Already compressed — scanning + rotation is straightforward
Owner
Johnny Yarlott + Zach Hardesty + Lior (Cognito rotation)
Dependencies
None (starts immediately). Soft: D7 (TruffleHog integrated into CI)
Unblocks
D2 (portal migration must start with clean credentials), D7 (CI includes TruffleHog gate), D8 (contractor docs need sanitized env manifests)
Revenue at Risk
Security breach — unknown magnitude until audit completes
Success Metrics
Zero verified secrets in any repo’s current HEAD; TruffleHog CI gate blocking all future secret commits

Tools Required

ToolPurposeCost
TruffleHogSecret scanning — 800+ detectors, CI integration, pre-commit hooksFree (OSS)
GitHub Secret ProtectionPush-time blocking — prevents secret commits at the platform level$19/committer/month
git-filter-repoGit history purge — Git project’s recommended tool for rewriting historyFree (OSS)

Related Risks

IDRiskSeverityProbabilityMitigation
RF3 Secrets include Cognito credentials — compounds with D4 auth vulnerability CRITICAL LOW-MEDIUM Phase 0 rotation of Cognito client IDs before UPW. Parallel mitigations (Layer 2 token caching, Layer 4 guest checkout) don’t require these credentials.