Define and configure secrets storage

Any secrets, eg API keys, access tokens, passwords and etc are not to be committed to git.

• use service accounts
• designate a system for secrets storage (eg gitlab Variables)
• production secrets are not to be used within testing/staging environment
• develop a process to set secrets at deployment time
• document secrets management and local development process
• add pre-commit hook to detect any secrets, eg GitGuardian

Ref:

• OWASP: Secrets Management Cheat Sheet
• OWASP: Wrong Secrets
• Gitlab: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
• Github: https://github.blog/security/application-security/next-evolution-github-advanced-security/