⌘K
ENES
GitHub
conceptDevSecOps~1 min readUpdated Apr 23, 2026

Secrets Management

Definition

Secrets management is the secure handling of credentials, tokens, keys, certificates, and other sensitive material across development, build, deployment, and runtime.

Why it matters

Secrets frequently bridge trust boundaries between source control, CI/CD, infrastructure, and production. Weak handling turns local convenience into systemic compromise. This note is about the lifecycle and exposure of sensitive material itself, not the whole CI/CD environment or release-governance model around it.

Attacker perspective

Attackers look for: - secrets in source control - credentials in CI logs - long-lived tokens in environment variables - overprivileged secrets reused across systems - stale secrets that were never rotated

Defender perspective

Defenders should: - minimize where secrets exist - separate build-time and runtime secrets - rotate and scope secrets intentionally - reduce human handling of secrets - review exposure in logs, artifacts, and config

Practical examples

  • a deploy token is printed in logs
  • the same long-lived credential is reused across environments
  • repo history still contains secrets that teams assume are “gone”

References

  • Foundational: NIST SP 800-218 SSDF — https://csrc.nist.gov/pubs/sp/800/218/final
  • Foundational: OWASP Software Supply Chain Security Cheat Sheet — https://cheatsheetseries.owasp.org/cheatsheets/Software_Supply_Chain_Security_Cheat_Sheet.html

Explore nearby notes

DevSecOpsArtifact IntegrityArtifact integrity is the assurance that build outputs, packages, images, and release artifacts have not been tampered with and can be traced back to the intended... DevSecOpsASVS as Dev Process InputThis note treats OWASP ASVS not as a post-hoc checklist, but as a development-process input for designing, reviewing, and verifying technical security controls... DevSecOpsBranch Protection and Release ControlsBranch protection and release controls are the rules and governance mechanisms that determine who can change protected code paths, approve releases, and promote... DevSecOpsCI/CD HardeningCI/CD hardening ice of securing the build, test, and deployment pipeline so that automation becomes a trusted control path rather than an attack amplifier. DevSecOpsContainer SecurityContainer security is the practice of reducing risk in how containerized applications are built, configured, shipped, and run. DevSecOpsDependency RiskDependency risk is the security risk introduced by direct and transitive third-party libraries, frameworks, packages, and their update and trust patterns.