Secrets in CI/CD Pipelines

CI/CD pipelines are one of the most common places where secrets management breaks down. Build pipelines need credentials to deploy agents, run tests against live services, and push artifacts to registries. These credentials are often stored as pipeline variables — which are effectively environment variables with a friendlier UI. They do not rotate automatically. They are often shared across pipelines. And they are accessible to anyone with pipeline configuration access.

1. Vault-Integrated Pipelines Configure your CI/CD system to authenticate to the vault at pipeline start, retrieve the needed credentials, and use them for the duration of the pipeline run. The credentials are never stored in pipeline configuration. They exist only in the pipeline execution environment and are discarded when the pipeline completes.
2. Pipeline Identity Each pipeline authenticates to the vault with its own identity — a service account or workload identity specific to that pipeline. The vault policy for the pipeline identity grants access to only the secrets that pipeline needs. A build pipeline gets read access to the artifact registry credential. A deploy pipeline gets access to the production credentials. Neither gets both.
3. Secret Scanning in Pipelines Run secret detection on every code change that enters the pipeline. If a developer accidentally commits a credential, the pipeline catches it before it reaches the repository. Block the merge. Alert the developer. Rotate the exposed credential. This is the last line of defense against secret sprawl re-emerging in your codebase.