How to Manage Secrets in CI/CD Pipelines

TechOps Examples

Hey — It's Govardhana MK 👋

Along with a use case deep dive, we identify the remote job opportunities, top news, tools, and articles in the TechOps industry.

👋 Before we begin... a big thank you to today's sponsor AI TOOL REPORT

Learn AI in 5 Minutes a Day

AI Tool Report is one of the fastest-growing and most respected newsletters in the world, with over 550,000 readers from companies like OpenAI, Nvidia, Meta, Microsoft, and more.

Our research team spends hundreds of hours a week summarizing the latest news, and finding you the best opportunities to save time and earn more using AI.

IN TODAY'S EDITION

🧠 Use Case

  • How to Manage Secrets in CI/CD Pipelines

🚀 Top News

👀 Remote Jobs

📚️ Resources

🛠️ TOOL OF THE DAY

git-shortcuts -  Useful Git Shortcuts and Autocomplete for Windows Bash Terminal

🧠 USE CASE

How to Manage Secrets in CI/CD Pipelines

Imagine your CI/CD pipeline is compromised.

What do you want the attacker to see?

echo $TECHOPS_API_KEY
********

OR

echo $TECHOPS_API_KEY
lousy_apikey_get_in

Definitely, everyone picks the first choice (in a very true sense)

But when you read about incidents like the Codecov breach that exposed secrets from environment variables in 1000s of enterprise pipelines, we come to terms with the fact that, despite good intentions, this can happen to anyone.

Every engineer using CI/CD, regardless of their role, should read through and understand the OWASP’s TOP 10 CI/CD Security Risks report - this knowledge can solidify your SecOps expertise.

A point worth noting here, Secrets/Credentials handling cuts through other major risks.

Actionable Insights to Improve Secrets Management Adoption

1. 12-Factor App Config Principle

Make up the mindset from the Twelve-Factor App manifesto that configurations and secrets belong in environment variables. This practice keeps them easy to update between deployments and ensures your application remains clean and portable.

2. Never Store Secrets in Plain Text

Whether in your code, config files, or CI/CD pipeline definitions. If you can easily read it, so can anyone who gets access.

Sure, you can define secrets directly in GitHub Actions variables within the workflow YAML, but just because you can doesn’t mean you should.

3. Use Encrypted Secrets

Stop passing secrets directly in pipeline scripts. Instead, use encrypted secrets offered by CI tools like GitHub. It securely encrypts secrets in the repository and ensures they’re not exposed to runners during job execution.This is a no-brainer and takes minutes to set up.

4. Regularly Rotate Secrets

Change your secrets often. It's one of the easiest ways to keep them secure and prevent misuse.

5. Give Least Privilege Access

Only grant access to users and roles that need it. The less exposure, the safer your secrets.

6. Centralize Secrets Management

Some popular tools include:

  1. AWS Secrets Manager

  2. HashiCorp Vault

  3. Azure KeyVault

  4. Google Cloud Secret Manager

  5. Docker Secrets

Personally, I’d go with HashiCorp Vault because:

  • It works great across cloud and hybrid setups.

  • It creates dynamic secrets that expire automatically.

  • You can control exactly who gets access to what.

  • It comes with cool extras like secret leasing and audit logs.

Check out these guides to level up your secrets management with Vault:

Retrieving CI/CD Secrets from Vault
Step-by-step guide on securely fetching secrets from Vault in your CI/CD pipelines.

Automate workflows with Vault GitHub Actions
Learn how to set up Vault with GitHub Actions for seamless secrets management.

You may even like:

Looking to promote your company, product, service, or event to 25,000+ TechOps Professionals? Let's work together.