Continuous integration/deployment (CI/CD) workflows typically require developers to provide valid credentials for the third party resources their pipe

How Secrets Leak in CI/CD Pipelines

submited by
Style Pass
2025-01-17 09:00:05

Continuous integration/deployment (CI/CD) workflows typically require developers to provide valid credentials for the third party resources their pipeline interacts with. Want to automatically deploy code changes to an EC2 instance? Provide an AWS access key. Want to deploy an artifact to NPM? Provide an NPM API key. 

Instead of hardcoding cleartext secrets into a Git repository, developers often use CI/CD platforms’ built-in functionality to inject secrets at runtime. For example, CircleCI and Travis CI users can configure jobs with pre-set environment variables containing their API keys and passwords. GitHub Action users can add a “secrets” workflow object. Some developers choose to go outside the CI/CD platform and use a third-party secrets manager like Hashicorp Vault or AWS Secrets Manager.

Unlike private repositories, CI/CD pipelines running against open-source projects, like the official Python project, expose CI/CD job log files. Malicious actors can easily parse the log output and look for exposed secrets. How would secrets leak into the log files?  Consider two examples: a --verbose flag to curl could expose a sensitive header or a test script could print all environment variables. There are immeasurable ways that secrets leak into CI/CD logs.

Leave a Comment