rknall/claude-skills
Overview
This skill manages Docker secrets for GitLab stack projects, ensuring secrets are never stored in .env or docker-compose.yml and are securely integrated with Docker secrets. It enforces a ./secrets directory with strict permissions, validates compose and git safety, and helps migrate environment variables into proper Docker secrets. Use it to create, rotate, audit, or validate secret configuration and to fix secret-related security issues.
How this skill works
The skill scans project files (.env, docker-compose.yml, ./secrets, .gitignore, and git history) to detect exposures, permission problems, and unused or missing secrets. It can create secure secret files in ./secrets with correct ownership and permissions, update docker-compose.yml to reference secrets, generate docker-entrypoint.sh when containers lack native secret support, and produce validation or audit reports with actionable remediation steps. It never reveals secret values and highlights critical issues for immediate remediation.
When to use it
- Create new Docker secrets or generate cryptographically secure values
- Migrate secrets found in .env or docker-compose.yml environment vars
- Validate secret directory, file permissions, and Docker integration
- Audit secret usage, find leaks, or check git for committed secrets
- Rotate or remove obsolete secrets and verify services still work
Best practices
- Always keep secrets in ./secrets with directory mode 700 and files mode 600
- Never store plaintext secrets in .env or docker-compose.yml environment sections
- Ensure ./secrets/* is listed in .gitignore and verify nothing is tracked in git
- Use Docker secrets mechanism; only add docker-entrypoint.sh when native _FILE support is missing
- Generate secrets with cryptographically secure tools (openssl, /dev/urandom, uuidgen)
- Verify ownership is not root and test service access after any migration or rotation
Example use cases
- Scan a project to detect secrets in .env and produce a migration plan
- Create db_password and api_key files in ./secrets, update compose, and set permissions
- Audit secrets to find unused entries and recommend cleanup or rotation
- Generate a 64-character JWT secret and store it securely with correct permissions
- Create docker-entrypoint.sh for a container that requires env vars but lacks _FILE support
FAQ
No. The skill redacts secret values and only reports presence, metadata, and remediation steps.
What file modes and ownership are required?
The ./secrets directory must be mode 700, individual secret files mode 600, and files should not be owned by root.
6 skills
This skill helps securely manage Docker secrets for GitLab stacks by enforcing proper storage, integration, and validation to prevent leaks.
This skill generates and validates Pangolin Newt blueprint configurations in YAML or Docker labels to streamline resource setup.
This skill validates Dockerfiles and Compose files for correctness, security, and best-practice compliance, guiding fixes and CI/CD integration.
This skill validates GitLab stack projects before deployment, ensuring proper structure, secrets handling, and Docker best practices for readiness.
This skill generates and validates GitLab stack service configurations from .env into ./config with strict structure and secrets safety.
This skill generates accessible, responsive HTML/JS web designs from descriptions, with automated verification and optional framework support.