Secrets Management Definition Secrets management is the secure handling of credentials, tokens, keys, certificates, and other sensitive material across development, build, deployment, and runtime. Why it matters Secrets frequently bridge trust boundaries between source control, CI/CD, infrastructure, and production. Weak handling turns local convenience into systemic compromise. This note is about the lifecycle and exposure of sensitive material itself, not the whole CI/CD environment or release-governance model around it. Attacker perspective Attackers look for: - secrets in source control - credentials in CI logs - long-lived tokens in environment variables - overprivileged secrets reused across systems - stale secrets that were never rotated Defender perspective Defenders should: - minimize where secrets exist - separate build-time and runtime secrets - rotate and scope secrets intentionally - reduce human handling of secrets - review exposure in logs, artifacts, and config Practical examples a deploy token is printed in logs the same long-lived credential is reused across environments repo history still contains secrets that teams assume are “gone” Related notes ci-cd-hardening supply-chain-security artifact-integrity References Foundational: NIST SP 800-218 SSDF — https://csrc.nist.gov/pubs/sp/800/218/final Foundational: OWASP Software Supply Chain Security Cheat Sheet — https://cheatsheetseries.owasp.org/cheatsheets/Software_Supply_Chain_Security_Cheat_Sheet.html ← PreviousSBOM and ProvenanceNext →Secure by Design Explore nearby notes DevSecOpsArtifact IntegrityArtifact integrity is the assurance that build outputs, packages, images, and release artifacts have not been tampered with and can be traced back to the intended... DevSecOpsASVS as Dev Process InputThis note treats OWASP ASVS not as a post-hoc checklist, but as a development-process input for designing, reviewing, and verifying technical security controls... DevSecOpsBranch Protection and Release ControlsBranch protection and release controls are the rules and governance mechanisms that determine who can change protected code paths, approve releases, and promote... DevSecOpsCI/CD HardeningCI/CD hardening ice of securing the build, test, and deployment pipeline so that automation becomes a trusted control path rather than an attack amplifier. DevSecOpsContainer SecurityContainer security is the practice of reducing risk in how containerized applications are built, configured, shipped, and run. DevSecOpsDependency RiskDependency risk is the security risk introduced by direct and transitive third-party libraries, frameworks, packages, and their update and trust patterns.