Practice : Secrets Management in Pipelines

Purpose and Strategic Importance

Secrets Management in Pipelines ensures that sensitive credentials, API keys, tokens, and certificates are handled securely during CI/CD processes. Poor secret hygiene can lead to data breaches, unauthorised access, and compliance failures.

By managing secrets properly, teams reduce risk, support compliance, and ensure that automated delivery remains safe and auditable. It is a foundational DevSecOps practice that enables speed without compromising security.

Description of the Practice

  • Secrets are never hardcoded into repositories or pipeline definitions.
  • Secure vaults or secret management platforms (e.g. Azure Key Vault, AWS Secrets Manager, HashiCorp Vault) are used to store and retrieve secrets at runtime.
  • Access to secrets is scoped to the minimum required permissions and rotated regularly.
  • Secrets usage is logged, auditable, and protected by policies and automation.
  • Secrets are injected into the pipeline environment securely and temporarily.

How to Practise It (Playbook)

1. Getting Started

  • Identify all secrets currently stored in code, config files, or CI/CD config.
  • Migrate secrets to a managed secret store with access control.
  • Integrate secret retrieval into your pipeline tools using secure plugins or environment variables.
  • Remove secrets from version control and refactor pipelines to reference secure stores.

2. Scaling and Maturing

  • Automate secret rotation using lifecycle policies.
  • Implement just-in-time access to sensitive credentials in pipelines.
  • Apply least privilege principles using scoped service identities or access policies.
  • Use scanning tools to detect accidental secret exposure in commits or logs.
  • Monitor secret usage and access patterns for anomalies.

3. Team Behaviours to Encourage

  • Treat secret handling as part of secure coding practices.
  • Review and approve changes to secret usage and access scopes.
  • Train engineers on proper secret hygiene and rotate shared secrets regularly.
  • Validate all new pipeline templates for secure secret handling.

4. Watch Out For…

  • Storing secrets in plain text or exposed environment variables.
  • Overly permissive access policies across teams or systems.
  • Inconsistent secret usage across environments (dev vs. prod).
  • Manual steps in secret management that don’t scale or introduce drift.

5. Signals of Success

  • No secrets exist in version control or shared documents.
  • Pipelines retrieve secrets securely at runtime, with no manual intervention.
  • Secret rotation is automated and auditable.
  • Access to secrets is scoped, reviewed, and monitored.
  • Engineers treat secrets as code - with the same discipline and scrutiny.