Want to know the scariest part about modern software delivery?
Your CI/CD pipelines are almost certainly leaking secrets at this very moment and nobody on your team realizes it. API keys. Database passwords. Cloud access tokens. SSH keys… they’re all flowing through your pipelines day in and day out. Each one is a potential entry point for an attacker.
Here’s the problem:
Pipelines were designed for velocity. Security was an afterthought. So as your DevOps teams rush to deploy code faster, secrets are silently leaking into config files, build logs, and Docker images where they shouldn’t be.
Leaks are a real headache. Let’s make it right again. This article explains exactly how leaks occur, and how you can secure your content.
Let’s jump in!
In this guide you’ll find:
- Why CI/CD Pipelines Leak Secrets
- The Most Common Ways Teams Get Exposed
- How To Protect Your Pipeline Secrets
Why CI/CD Pipelines Leak Secrets
The most powerful systems in most companies are CI/CD pipelines. Stop and consider… They have the keys to deploy directly to production. They can push container images. They can communicate with your cloud APIs and databases. That’s a TON of trust you’re putting into one system.
And yet they’re often the least protected part of the whole setup.
That’s why robust identity and access management is critical in this scenario. When each token, key, and service account is under governance, there are fewer opportunities for attackers to exploit. Tools like Entro Security can assist teams in identifying and securing these non-human identities and secrets residing throughout a pipeline before they’re leaked.
Here’s your point of concern. According to GitGuardian’s recent report, 59% of compromised devices in 2025 were CI/CD runners. They weren’t people’s laptops. The pipeline is the new endpoint.
Why does this keep happening? Pipelines were architected to inherently trust internal processes. Velocity was important, security was an afterthought. Plus, nobody “owns” secrets once they’re generated.
Credentials accumulate like this. Tokens get left lingering around because no one can remember why they exist. Before you know it, your pipeline is a cemetery of credentials.
The Most Common Ways Teams Get Exposed
Ok, now how about the mechanics of leaks? 99% of the time it’s not some Hollywood level hacker storming the castle. It’s an unintentional tiny blip that slips into the pipeline and nobody notices. The most common are below.
Hardcoded Secrets
Hardcoded secrets occurs when someone copies and pastes an API key/token/password directly into source code, a pipeline YAML, or Dockerfile. It works, so you move on.
But here’s the kicker…
One hardcoded github action token = Full push access to prod. One line of sloppy code. Complete takeover.
And don’t think “private repo” means safe either. Research from GitGuardian showed that private repos are 6x more likely to have hardcoded secrets than public repos. Come on now. Nobody’s watching?
Secret Sprawl
Secret sprawl is fairly self-explanatory. Secrets are spread all over the place without clear ownership.
As time goes on your pipeline starts hoarding tokens like a junk drawer hoards random chargers. You slowly acquire dozens of live credentials no one can account for. Old tokens just… sit there because no one wants to cause a failing build. Every unaccounted one is another thing for an attacker to silently collect.
Over-Permissioned Credentials
Another tricked up one here. Many pipelines are executed with tokens that have EXCESS permissions. Permissions to edit source code, access cloud infrastructure, create production artifacts – all from a single credential.
Well what happens when that token gets leaked? The attacker doesn’t gain small privileges. They own the kingdom.
Leaks Outside The Code
Secrets aren’t just spilled inside repositories. Teams share credentials in Slack when debugging incidents. Engineers leak tokens in Jira tickets. New hires exchange keys as part of onboarding.
Studies have found that approximately 28% of credential exposure in 2025 occurred entirely outside of source code within tools such as Slack, Jira and Confluence. If you’re only scanning code you’re leaving a quarter of your exposure out of the picture.
(There’s the “it’s never just one place” lesson in action.)
How To Protect Your Pipeline Secrets
Alright, quit depressing everyone. Let’s fix it. The best part about pipeline protection is that it doesn’t require huge budgets or a 12 month endeavor. Some good habits will take you far.
Stop Hardcoding Everything
Golden rule. Never ever put a secret value into your source code, your pipeline YAML, your Dockerfiles or your build artifacts.
Instead, use runtime injection. The pipeline queries a secrets manager for the credential right when it needs it, uses that temporary value for one step, then it disappears. Secrets never hit disk or get committed.
It’s a small shift that closes a giant hole.
Lock Down Access
Enterprise CI/CD systems are complex environments. This is where robust identity and access management truly proves its value. Here are some best practices:
- Use Role-Based Access Control so people only get what they need.
- Give each token the minimum permissions possible.
- Swap static credentials for short-lived, federated identities where you can.
It sounds simplistic, but it’s really quite easy to remember. Trust no one, always verify. You want your leaked credentials’ blast radius to be small.
Scan Continuously
New secrets are added between scans. One scan just doesn’t work. Configure pre-commit hooks to prevent leaks before they happen. Follow up with scheduled scans on your repos, build logs, Docker images AND collaboration tools.
The wider you scan, the more you catch.
Rotate Your Secrets
Last but certainly not least, old secrets are bad secrets. Almost 70% of secrets leaked in 2022 were found by GitGuardian to still be active two years later. No one rotated them. No one deleted them.
Secrets vaults can eliminate this ticking time bomb by automating so long lived tokens. Rotate frequently, rotate automatically, and you eliminate the low hanging fruit for attackers.
Bringing It All Together
So CI/CD pipelines are powerful. CI/CD pipelines are fast. CI/CD pipelines are absolutely necessary. However, they also place risk in one place that most teams drastically underestimate. Secrets flowing through your CI/CD pipelines are the keys to your kingdom, and far too many are being left right under the doormat.
Attackers no longer need to develop sophisticated exploits. They just wait for credentials to leak from automation that wasn’t designed to protect them.
To quickly recap:
- Stop hardcoding secrets into code and config
- Tighten up identity and access management
- Scan everywhere, not just your repos
- Rotate your credentials before they get stale
Master these fundamentals and watch your weakest area become your strength. Begin now, your future self will thank you.
