Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: secrets-management
Skill path: skills/devsecops/secrets-management/SKILL.md

What Was Wrong

The skill covers short-lived tokens, JIT credentials, Vault AppRole, Kubernetes service account injection, and OIDC examples, but it did not explicitly require evidence for the bootstrap path used to obtain the first machine credential. A system can issue dynamic credentials while still storing paired bootstrap secrets, accepting over-broad OIDC claims, or persisting exchanged tokens into artifacts/logs/caches.

Related review issue: #2064

What This PR Fixes

• Adds explicit secret-zero/bootstrap credential review gates for CI/CD agents, bots, Kubernetes workloads, and AI agents.
• Requires no paired bootstrap secrets stored together in repos, CI secret stores, images, artifacts, or Kubernetes Secrets.
• Requires OIDC/workload identity roles to bind issuer, audience, subject, repo/project, ref, environment, namespace, service account, and workflow/job identity where supported.
• Requires response wrapping, one-use secret_id, and short TTL when AppRole is unavoidable.
• Requires issued credentials to align with task duration and avoid persistence in logs/artifacts/caches/workspace files/crash dumps/transcripts.
• Adds audit-correlation requirements for actor, workload identity, run/job ID, scope, TTL, and revocation result.
• Adds output table and common pitfall for machine identity bootstrap review.

Evidence

Before (skill could miss this):

bootstrap_credentials:
  method: vault_approle
  storage:
    VAULT_ROLE_ID: github_actions_secret
    VAULT_SECRET_ID: github_actions_secret
  secret_id_ttl: unlimited
  secret_id_num_uses: unlimited
issued_token:
  ttl: 24h
persistence:
  writes_token_to_workspace_file: true
  uploads_workspace_artifact: true

After (now correctly handled):

bootstrap_identity:
  method: oidc_to_vault
  bound_audiences: [vault://prod-deploy]
  bound_subject: repo:example-org/payments:ref:refs/heads/main
  bound_claims:
    environment: production
    workflow: deploy.yml
issued_credentials:
  ttl: 15m
  renewable: false
persistence_controls:
  write_to_workspace: false
  upload_in_artifacts: false

Test Cases Added/Updated

• Added vulnerable test case: tests/vulnerable/secrets-bootstrap-credentials-stored-together.yaml
• Added benign test case: tests/benign/secrets-bootstrap-oidc-bound-ephemeral.yaml
• Existing tests still pass / no executable test harness exists in this repository; validated with git diff --check, git diff --cached --check, and key-field checks for the new YAML evidence files.

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: GitHub Sponsors