LET'S TALK
← All work
PCI-DSS 8.3.9NIST SP 800-57SOC2 CC6.1Secret RotationDeep Prototype

SecretRotation — 64-Secret Rotation Inventory

64 seeded secrets across 12 systems. Rotation cadence vs policy. Last-rotated age, blast-radius, owner, vault. Surfaces the 'orphan token' (no owner, no last-rotated metadata), the deprecated mongo password 880 days stale, the FCM legacy server key still in env vars, and the still-running IAM access key that should have been migrated to OIDC.

SecretRotation — 64-Secret Rotation Inventory preview
Open live →

What it is

The shape behind secret-rotation programs (HashiCorp Vault, AWS Secrets Manager rotation Lambdas, Doppler, Akeyless). The list an auditor pulls first — what is the oldest secret in production, what is the owner, when was it last rotated, what is its blast-radius.

What’s in it

  • 64 secrets across 7 categories: API keys, DB passwords, signing keys, SSH keys, OAuth client secrets, KMS CMKs, TLS certs.
  • Rotation status vs policy (90/180/365-day cadences). Color-coded: in policy / approaching / overdue / never rotated.
  • Blast radius — critical / high / medium / low — drives the urgency.
  • Worst-offender findings:
    • unknown-svc-token-2023 — orphan in Secrets Manager with no owner, no last-rotated metadata
    • aws-iam-ci-access-key — 480 days stale, should be OIDC not access keys
    • mongo-prod-app — 880 days, deprecated service still serving 0.2% of traffic
    • webhook-test-shared-secret — 1,100 days, TEST secret accidentally promoted to prod
    • leaked.aws.access-key-2024-q3 — rotated 18 days ago after public-commit leak
  • Real rotation runbooks per category — AWS KMS auto-rotation, Secrets Manager rotation Lambda, dual-key cutover for signing keys, ACME renewal for TLS, ed25519 regeneration for SSH.

Why this shape

PCI-DSS v4.0 Req 8.3.9 (90-day password rotation), NIST SP 800-57 Pt 1 §5.3 (cryptoperiod), SOC2 CC6.1, AWS KMS rotation guidance all share the same shape — secret age vs policy. The audit always pulls this list. SecretRotation prototypes it directly: every row carries the runbook, the regulation citation, and the owner.

How it ships

Single HTML file, ~26KB. Zero dependencies. 64 secrets × 7 categories × rotation math + per-category runbook templates in 280 lines of vanilla JavaScript.

Open the tool →