[staofbur]

It's perfectly reasonable to put your credentials and configuration into a VCS if any secrets are in ansible vault or something similar.

I reckon they either stuffed it all in as plain text or someone got hold of their source code and found a stupid hole in it and just read the database file off the front end somewhere. It's not unusual for the unclued to stick a database dump on a front facing web server with a "secret url" and just pull that down with curl or something.

[ivanbakel]

It's really never reasonable. Even if your VCS is already secure, inserting credentials means bringing it up to spec with actual credential storage policy, even if that means inconvenience to the developers - and if it's not inconvenient, your policy is probably too lax in the first place. There should be a total separation of concern between your code and user credentials.

[staofbur]

Ansible vault, separate repository to the code and you're fine. You're up shit creek if you lose your code too unless you're 100% perfect so there is no distinction in policy.

Hell if you're using vault you might as well chuck the config in with the code. The vault key distribution is what needs to be controlled.

[ivanbakel]

There is a real difference in company impact between leaking your code and your credentials. If your code and credential policies are the same, your company has a serious problem of priorities, since it's either not protecting credentials enough, or it's slowing down developers too much.

[staofbur]

The trick is to make sure that if the credentials do leak they are useless.

[user5994461]

I have never seen a company that didn't store some credentials in their VCS.

[oneweekwonder]

To the point where you see weekly TIFU /r/cscareerquestions post on a junior using training material and then accidentally trashing the production db.

[staofbur]

That doesn't happen because you don't let them have the credential vault keys. In fact no humans get them; just the build and deployment pipeline.