Project Name
Ksolves Eliminated 4,000+ Hard-Coded Secrets for a US Fintech in 90 Days with HashiCorp Vault
For any fintech that has spent months closing enterprise deals, a failed SOC 2 readiness audit does not just delay a contract. It puts every deal already in the pipeline at risk and signals to prospects that the platform they were about to trust with financial data may not be ready.
That is exactly what happened to a US-based fintech that had just closed a Series B and was onboarding enterprise clients with contractual SOC 2 Type II requirements. Auditors found database passwords in config files, API keys in GitLab CI variables, and credentials scattered across 60+ microservices with no rotation policy, no audit trail, and no detection mechanism in place. The inventory came back with over 4,000 hard-coded credentials and a 90-day window to remediate before the follow-up audit.
Ksolves delivered a production-grade HashiCorp Vault cluster with Raft HA, migrated every credential behind least-privilege policies, and wired AppRole authentication into every GitLab CI pipeline, eliminating all hard-coded secrets, cutting secret-related incidents to zero, and clearing the SOC 2 audit on the next attempt.
- 4,000+ Hard-Coded Credentials Across 60+ Microservices: A full secrets inventory revealed over 4,000 hard-coded credentials scattered across application config files, GitLab CI variables, Kubernetes Secrets, Terraform state, Docker Compose files, and developer laptops, with no single owner, no expiry policy, and no mechanism to detect or rotate compromised credentials.
- SOC 2 Audit Failed on CC6.1 and CC6.6: The readiness assessment identified critical failures against CC6.1 (logical access controls) and CC6.6 (restriction of access to protected data). Hard-coded credentials in source repositories and CI systems were cited as the primary evidence of control failure, blocking the company from meeting enterprise customer contractual requirements.
- No Secret Rotation or Expiry Policy: Database passwords and API keys had never been rotated since initial deployment in many services. Several credentials were years old with no documented rotation schedule, making it impossible to demonstrate controlled access or limit the blast radius of a credential compromise.
- Credential Leak Risk from GitLab CI Variables: API keys and database passwords stored as GitLab CI environment variables were accessible to anyone with Developer-level repository access, were printed in job logs, and were shared across pipelines with no service-level isolation, violating least privilege across the entire CI estate.
- No Audit Trail for Secret Access Events: No system recorded which service accessed which credential, when, or from which environment. In the event of a credential compromise, the organisation had no mechanism to determine the scope of exposure or provide evidence to auditors of controlled access.
- No Credential Detection in Git or CI: No pre-commit hooks, CI scanning gates, or repository scanning tools were in place. Multiple historical credential leaks in private repositories had gone undetected, with some credentials still active at the time of the audit.
Ksolves delivered a production-grade HashiCorp Vault cluster with Raft HA as the centralised secrets management plane for all 60+ microservices. The migration followed three phases: inventory and classification of all existing credentials, centralisation into Vault with least-privilege HCL policies scoped per service, and CI/CD integration via AppRole authentication in every GitLab CI pipeline. The entire cluster and policy configuration were provisioned as code using Terraform, making the secrets infrastructure fully reproducible and auditable.
- HashiCorp Vault Raft HA Cluster via Terraform: A three-node Vault cluster using the integrated Raft storage backend was provisioned entirely via Terraform, eliminating external storage dependencies, providing automatic leader election and failover, and ensuring the secrets infrastructure was versioned, reproducible, and audit-ready from day one. The cluster was deployed with TLS mutual authentication, audit logging enabled from day one, and auto-unseal configured for operational resilience.
- Full Secrets Inventory and Migration in 30 Days: All 4,000+ credentials across GitLab CI variables, application config files, Kubernetes Secrets, and Terraform state were inventoried, classified by type, mapped to their consuming service, and migrated into Vault under a service-scoped KV v2 namespace. Hard-coded values were removed from the source code and replaced with Vault Agent or direct API lookups before any service was redeployed.
- Least-Privilege HCL Policies Per Service: A dedicated Vault policy was written in HCL for every microservice, granting read access only to the specific secret paths that the service legitimately required. No service could read another service's credentials, no policy granted wildcard access, and all policy changes were reviewed through the same GitLab merge-request workflow used for application code.
- AppRole Authentication in Every GitLab CI Pipeline: GitLab CI pipelines were refactored to authenticate to Vault using AppRole, with the RoleID stored as a non-sensitive CI variable and the SecretID fetched at job runtime from a Vault-protected endpoint. Each pipeline receives a short-lived token bound to its service policy, injects the required secrets as ephemeral environment variables for the duration of the job, and the token is automatically revoked on job completion. No long-lived credentials exist in any CI configuration.
- Dynamic Database Credentials via Vault Database Secret Engine: For all PostgreSQL and MySQL database connections, the Vault Database Secret Engine was enabled to issue dynamic, short-lived credentials with a 1-hour TTL generated on demand per service. No static database password exists anywhere in the system.
- Gitleaks Pre-Commit and CI Gate: Gitleaks was deployed as a mandatory pre-commit hook across all 60+ repositories and as a blocking gate in every GitLab CI pipeline, scanning every commit and PR for credential patterns before they can reach any branch. Historical repository scans were run to identify and rotate any credentials already in Git history.
Technology Stack
| Category | Technology |
|---|---|
| Secrets Management | HashiCorp Vault (Raft HA) |
| Infrastructure as Code | Terraform |
| CI/CD Authentication | AppRole, GitLab CI |
| Dynamic Secrets | Vault Database Secret Engine |
| Credential Scanning | Gitleaks |
| Compliance Evidence | Vault Audit Logging |
- 4,000+ Hard-Coded Credentials Eliminated in 90 Days: Every credential across all 60+ microservices is now managed exclusively in Vault. Zero hard-coded secrets remain in any repository, CI configuration, or application config file across the entire estate.
- SOC 2 Type II Passed on the Next Attempt: Vault's least-privilege policy model and tamper-proof audit logging provided the evidence required to satisfy CC6.1 and CC6.6 controls. The company passed its SOC 2 Type II audit on the follow-up assessment within the 90-day remediation window.
- Zero Secret-Related Incidents Post-Rollout: Gitleaks pre-commit gates and AppRole CI integration eliminated credential exposure vectors across all 60+ repositories. Zero secret-related security incidents occurred in the three months following the Vault rollout.
- Static Database Passwords Eliminated: Vault Database Secret Engine issues unique, 1-hour TTL credentials per service on every connection. No static database password exists anywhere in the system, removing an entire category of credential risk.
- Complete Secret Access Audit Trail Established: Vault audit logging captures every secret read, token issuance, and policy evaluation, providing a complete, tamper-proof access trail that satisfies SOC 2 evidence requirements and supports incident response investigations.
- GitLab CI Pipelines Decoupled from Long-Lived Credentials: AppRole authentication issues short-lived, auto-revoked tokens scoped to the minimum required policy for every pipeline job. No long-lived credential exists in any CI configuration across the entire estate.
“We went into the follow-up SOC 2 audit with zero hard-coded secrets anywhere in our estate and a complete audit trail for every credential access. The auditors had never seen a remediation turn around that cleanly in 90 days.”
– CISO, US Fintech Company
Ksolves delivers HashiCorp Vault implementation and DevSecOps consulting services for fintech and financial services companies that need to remediate secrets management failures, meet SOC 2 requirements, and establish a scalable, auditable credential infrastructure.
Before this engagement, the company was carrying 4,000+ unrotated credentials across its entire engineering estate, with no audit trail, no rotation policy, and a failed SOC 2 audit, which was blocking enterprise contracts. After Ksolves delivered the HashiCorp Vault implementation, every credential is centralised, every access is logged, and the company passed its SOC 2 Type II audit within the 90-day remediation window.
The Vault implementation establishes a scalable secrets management foundation that grows with the engineering organisation. New services inherit Vault integration and least-privilege policies through the Terraform module library, ensuring the secrets estate never returns to uncontrolled credential sprawl.
The Right Secrets Management Foundation Makes SOC 2 Compliance A Default, Not A Remediation Project.
