G
GuideDevOps
Lesson 10 of 11

Pipeline Secrets & Security

Part of the CI/CD Pipelines tutorial series.

A single leaked API key in a public CI log can lead to a massive security breach. Modern CI/CD platforms provide built-in ways to mask and protect your secrets.

1. Environment Variable Masking

Most platforms (GitHub, GitLab, Jenkins) automatically mask secrets. This means if you try to echo $SECRET, the logs will show *** instead of the actual value.

Action (GitHub Workflow snippet):

      - name: Print Secret (Dangerous but illustrative)
        run: echo "My token is ${{ secrets.GITHUB_TOKEN }}"

Result in Logs:

My token is ***

2. Using SSH Keys for Deployment

When deploying to a private server, you should use SSH keys stored as secrets rather than passwords.

Step 1: Add SSH Private Key to CI Secrets

Store your id_rsa as a secret named SSH_PRIVATE_KEY.

Step 2: Use it in the Pipeline

Action (GitLab CI snippet):

deploy:
  script:
    - eval $(ssh-agent -s)
    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
    - ssh -o StrictHostKeyChecking=no user@myserver.com "./deploy.sh"

3. Secret Leak Prevention (Gitleaks)

You can add a step to your pipeline that scans your code for accidentally committed secrets before it finishes the build.

Action (GitHub Action):

      - name: Gitleaks Scan
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Result (if secret found):

Finding:   "AWS_ACCESS_KEY_ID": "AKIA..."
File:      src/config.py
Line:      12
ERROR: Gitleaks detected secrets in your PR. Build Failed.

4. Best Practices for Pipeline Security

  1. Principle of Least Privilege: Give your CI tokens only the permissions they need (e.g., read-only for pulling, write only for the specific deployment bucket).
  2. Never hardcode: Not in code, not in YAML, not even in comments.
  3. Audit Logs: Regularly check who accessed or modified secrets.
  4. Short-lived Tokens: Use OIDC (OpenID Connect) for AWS/GCP instead of long-lived access keys when possible.

Summary

  • Secrets Management: Use built-in CI secret stores.
  • Masking: Protects secrets from appearing in logs.
  • Scanning: Catch leaks before they reach the repository.
  • OIDC: The modern, keyless way to connect to the cloud.