deployment and operations

Secrets In CI/CD And Runtime Environments

Secrets must move from approved storage into build or runtime only where needed. CI credentials, deployment keys, database passwords, and API tokens need narrow scope and rotation.

Keep Secrets Out Of Artifacts

Keep secrets out of source, artifacts, logs, and cache keys.
Use environment-specific credentials.
Grant CI only the permissions required for its job.

Test Rotation And Missing Values

Review secret injection points.
Test missing-secret failure safely.
Rotate one staging credential.

Scope Credentials Narrowly

Forked pull requests and logs can expose secrets.
Long-lived broad credentials increase impact.
Baked image secrets persist after rotation.

Secret Flow

approved secret store -> scoped CI or runtime injection -> application process

never:
source control -> image layer -> build log -> browser response

Secret handling is ready when ownership, scope, injection, redaction, and rotation are documented. A value is not safely managed merely because it lives in an environment variable; the injection path, logs, permissions, and rotation process still matter.

Practice

Practice: Audit Deployment Secrets

Audit the path taken by a staging database password and deployment credential from storage to the running application.

Requirements

Keep secrets out of source, artifacts, logs, and cache keys.
Use environment-specific credentials.
Grant CI only the permissions required for its job.
Review secret injection points.
Test missing-secret failure safely.
Rotate one staging credential.

Show solution

Store each credential in the approved secret system and inject it only into the CI job or runtime process that needs it. Keep secrets out of source control, image layers, caches, logs, and browser responses.

In staging, remove one required value and confirm that startup fails clearly without printing the secret. Rotate a credential and verify that the old value stops working. Record ownership and the next rotation path.