Remediate leaked secrets

HCP Vault Radar can scan for secrets leaked in your code.

Create an incident

Leaked secrets can lead to unauthorized access to your services. To prevent malicious activity, HashiCorp recommends users to rotate and store the secret in Vault.

Follow your organization’s guidelines for emergency rotation of a secret.
Determine if your company already uses HashiCorp Vault.

Store secrets in Vault KVv2 secret engine

This example uses the KVv2 secrets engine and AppRole auth method. If your application is already configured to access secrets in Vault, use existing secrets engines and auth methods.

Note

Before getting started install the Vault CLI

Set the following environment variables in your local environment:
```
VAULT_TOKEN
VAULT_ADDR
VAULT_NAMESPACE
```
Note
Make sure you know your Vault namespace and plugin mount path.

Add the secret to the Vault KV version 2 secrets engine.

$ vault kv put -mount=mount-path my-secret my-secret-value=secret-value

Read the secret.

$ vault kv get -mount=mount-path my-secret

Create a policy to allow access to the KVv2 secret engine.

$ vault policy write my-policy -<<EOF
   path "my-secret" {
       capabilities = [ "read" ]
   }
EOF

Enable the AppRole authentication method.
```
$ vault auth enable approle
```
Note
Refer to this documentation to learn more about other authentication methods that Vault supports

Create a role and attach the policy.

$  vault write auth/approle/role/my-role \
     token_policies=my-policy

Remove the secret from code

Now that the secret is available from Vault, remove the hardcoded secret from the source code. This example uses an environment variable to store the secret from Vault.

Populate the environment variable MY_SECRET with the secret and start your local server.
```
$  export MY_SECRET=$(vault kv get -mount=month-path {SECRET} my-secret-value)
```
Start the application.
```
$ run-my-app
```
Remove the secret from source and add a reference to the secret stored at the environment variable MY_SECRET.
mySecret = getenv(“MY_SECRET”)

Note

If you are not using an environment variable to read the secret, here are some other ways to store or retrieve secrets from Vault:

Create secrets with the Vault secrets operator for Kubernetes.
Use Vault Enterprise secret sync for services like Vercel or Heroku.
Read and reload secrets in Spring.
If you do not use environment variables, refer to the Vault API documentation

Revoke the secret

Revoke the secret to complete the remediation process.

Validate the environment variable value is from Vault.
Deploy and test the application.
Work with the service owner to rotate the secret stored in the Vault.

Update the secret value in Vault

$ vault kv put -mount=mount-path my-secret my-secret-value=new-value