Scaling secure development to a team

· Tech

TLDR: Onboarding: new dev joins Infisical, gets project access, runs infisical init, done. Offboarding: disable account, rotate every accessed secret. Use RBAC: juniors get dev only. Enforce AI sandbox policy in CONTRIBUTING.md. Use machine identities with OIDC for CI/CD.

The workflow from this series is built for solo developers. Here is what changes for teams.

Onboarding

  1. New dev creates Infisical account, joins organization.
  2. Grant access to projects and environments (dev/staging only, not production on day one).
  3. Clone repo, infisical login, infisical init, done.
  4. .env.example shows required variables. Infisical provides values.

No passwords in Slack. No .env files over email.

Offboarding

Disable their Infisical account. They lose API access. But secrets already fetched remain on their machine.

Rotate everything they accessed. Infisical audit log shows exactly which secrets they touched.

Terminal window
infisical secrets set DB_PASSWORD=new-value --env=staging
infisical run --env=staging -- docker compose restart api

RBAC

Infisical RBAC on paid tiers:

RoleDevStagingProduction
JuniorRead/WriteNoneNone
SeniorRead/WriteRead/WriteRead-only
DevOpsRead/WriteRead/WriteRead/Write
CI/CD identityRead-onlyRead-onlyRead-only

Production write access should go through Terraform or CI/CD, not humans.

Schema enforcement

Validate .env.example completeness in CI:

scripts/validate-secrets.sh
#!/bin/bash
MISSING=0
while IFS= read -r line; do
  [[ "$line" =~ ^#.*$ || -z "$line" ]] && continue
  KEY=$(echo "$line" | cut -d= -f1)
  VALUE=$(infisical secrets get "$KEY" --env="$1" --plain --silent 2>/dev/null)
  if [ -z "$VALUE" ]; then echo "MISSING: $KEY"; MISSING=1; fi
done < .env.example
exit $MISSING

AI sandbox policy

Add to CONTRIBUTING.md:

## AI Agent Policy


All AI coding agents MUST run in sbx sandboxes, zerobox, or nono.
Running AI agents on the host with access to env vars is not allowed.

CI/CD machine identities

Use OIDC auth for GitHub Actions. No static tokens:

jobs:
  deploy:
    permissions: { id-token: write }
    steps:
      - uses: actions/checkout@v4
      - run: |
          export INFISICAL_TOKEN=$(infisical login \
            --method=oidc-auth \
            --identity-id=${{ vars.INFISICAL_IDENTITY_ID }} \
            --plain --silent)
          infisical run --env=production -- ./scripts/deploy.sh

Secret sharing

For one-time sharing, Infisical has a secret sharing feature with encrypted, expiring links.

When to self-host

Consider self-hosting when regulations require secrets to stay on your infrastructure, or you need air-gapped environments. The workflow does not change; only infisical login points to your instance.

Related posts