Secret management in pipelines is the practice of securely injecting, using, and rotating sensitive credentials within CI/CD automation without exposing them in logs, artifacts, configurations, or version control. It addresses the zero-secret problem of how pipelines authenticate to external services securely.
Modern secret management eliminates static credentials through OIDC federation, where CI platforms like GitHub Actions or GitLab CI exchange short-lived JWT tokens for cloud provider credentials without storing secrets at all. When static secrets are unavoidable, external secret managers (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) inject them at runtime through pipeline integrations. Pipeline platforms provide native secret storage (GitHub Encrypted Secrets, GitLab CI Variables) with masking that redacts values from logs. Organization-level secrets share credentials across repositories while environment-level secrets restrict access to specific deployment targets. Secret scanning tools like GitLeaks and TruffleHog run pre-commit and in CI to catch accidental credential commits. Rotation automation updates secrets on schedule and propagates changes to consuming pipelines. Vault dynamic secrets generate unique, short-lived credentials per pipeline run, eliminating credential sharing and simplifying revocation.
Pipelines accumulate secrets over time: cloud credentials, API keys, database passwords, registry tokens, and signing keys. Each secret is an exposure point. Leaked pipeline secrets enable production access, data theft, and supply chain attacks. The Codecov breach demonstrated how a compromised pipeline credential cascaded to thousands of downstream repositories and their secrets.
CDA addresses pipeline secret management under the DPS (Data Protection and Sovereignty) domain. Our missions migrate organizations from static credentials to OIDC federation, deploy Vault with dynamic secret generation, and implement secret scanning across all repositories.