How do you and your team manage secrets day to day?

Question

I used to work at a startup. In that company we were regularly switching between environments, connecting to different API's and databases. We were constantly juggling .env files, storing them on our laptops and sharing them on Slack. At some point I lost a set of credentials for a (richly filled) test database I created. I guess I deleted it when cleaning up the workspace, unaware I didn't store it somewhere. That was the moment I started looking for a better way to manage secrets. To be honest, the more I look the less I understand what the actual default is in 2026.The GitGuardian report that came out recently says 29 million secrets leaked on GitHub in 2025, so it looks like I'm not the only one who is still figuring this out. At least my .env files were in .gitignore.So I'm just curious: how do you/your team actually handle this in practice? Are you running Vault, Doppler, something locally, a folder of .env files that nobody talks about, a 1Password vault that everyone shares, something else entirely? What works, what doesn't, and what do you wish was different?

philmillman · Accepted Answer

We built varlock.dev to solve this exact problem. It works with all the secret and password managers everyone is already using and gives you a schema that you can commit, better DX (type-safety, intellisense) and security guardrails (redaction, leak prevention, scanning). Would love to hear your thoughts!