- TechOps Examples
- Posts
- How to Manage Secrets in CI/CD Pipelines
How to Manage Secrets in CI/CD Pipelines
TechOps Examples
Hey — It's Govardhana MK 👋
Along with a use case deep dive, we identify the remote job opportunities, top news, tools, and articles in the TechOps industry.
👋 Before we begin... a big thank you to today's sponsor AI TOOL REPORT
Learn AI in 5 Minutes a Day
AI Tool Report is one of the fastest-growing and most respected newsletters in the world, with over 550,000 readers from companies like OpenAI, Nvidia, Meta, Microsoft, and more.
Our research team spends hundreds of hours a week summarizing the latest news, and finding you the best opportunities to save time and earn more using AI.
IN TODAY'S EDITION
🧠 Use Case
How to Manage Secrets in CI/CD Pipelines
🚀 Top News
👀 Remote Jobs
Syndica is hiring a Site Reliability Engineer
Remote Location: Worldwide
Parity Technologies is hiring a DevOps/SRE Manager
Remote Location: Worldwide
📚️ Resources
🧠 USE CASE
How to Manage Secrets in CI/CD Pipelines
Imagine your CI/CD pipeline is compromised.
What do you want the attacker to see?
echo $TECHOPS_API_KEY
********
OR
echo $TECHOPS_API_KEY
lousy_apikey_get_in
Definitely, everyone picks the first choice (in a very true sense)
But when you read about incidents like the Codecov breach that exposed secrets from environment variables in 1000s of enterprise pipelines, we come to terms with the fact that, despite good intentions, this can happen to anyone.
Every engineer using CI/CD, regardless of their role, should read through and understand the OWASP’s TOP 10 CI/CD Security Risks report - this knowledge can solidify your SecOps expertise.
A point worth noting here, Secrets/Credentials handling cuts through other major risks.
Actionable Insights to Improve Secrets Management Adoption
1. 12-Factor App Config Principle
Make up the mindset from the Twelve-Factor App manifesto that configurations and secrets belong in environment variables. This practice keeps them easy to update between deployments and ensures your application remains clean and portable.
2. Never Store Secrets in Plain Text
Whether in your code, config files, or CI/CD pipeline definitions. If you can easily read it, so can anyone who gets access.
Sure, you can define secrets directly in GitHub Actions variables within the workflow YAML, but just because you can doesn’t mean you should.
3. Use Encrypted Secrets
Stop passing secrets directly in pipeline scripts. Instead, use encrypted secrets offered by CI tools like GitHub. It securely encrypts secrets in the repository and ensures they’re not exposed to runners during job execution.This is a no-brainer and takes minutes to set up.
4. Regularly Rotate Secrets
Change your secrets often. It's one of the easiest ways to keep them secure and prevent misuse.
5. Give Least Privilege Access
Only grant access to users and roles that need it. The less exposure, the safer your secrets.
6. Centralize Secrets Management
Some popular tools include:
AWS Secrets Manager
HashiCorp Vault
Azure KeyVault
Google Cloud Secret Manager
Docker Secrets
Personally, I’d go with HashiCorp Vault because:
It works great across cloud and hybrid setups.
It creates dynamic secrets that expire automatically.
You can control exactly who gets access to what.
It comes with cool extras like secret leasing and audit logs.
Check out these guides to level up your secrets management with Vault:
Retrieving CI/CD Secrets from Vault
Step-by-step guide on securely fetching secrets from Vault in your CI/CD pipelines.
Automate workflows with Vault GitHub Actions
Learn how to set up Vault with GitHub Actions for seamless secrets management.
I spent 10,000 hours studying the top 100 Kubernetes implementations on the planet and here’s what I learned.
Like you, I get sick of reading posts with these kinds of hyper hooks for likes farming.
To make it straight.
You learn by doing.
You learn by experimenting.
You… x.com/i/web/status/1…— Govardhana Miriyala Kannaiah (@govardhana_mk)
7:23 AM • Dec 9, 2024
You may even like: