Securely store secrets for CI/CD pipelines

CI/CD pipelines require secure access to sensitive data like API keys, credentials, and certificates. Manually managing these secrets creates security risks and operational overhead. You should use a centralized secrets store to manage your secrets.

This collection provides guidance and resources for securing popular CI/CD platforms with Vault, and highlights common authentication and secrets management anti-patterns.

HashiCorp Vault enables centralized secrets management to help secure your CI/CD workflows. Vault can manage identities and authentication with JWT/OIDC, LDAP, TLS certificates, tokens, and usernames & passwords. You can also use Vault to authenticate your CI/CD workloads with major cloud providers such as AWS, Azure, and GCP. This range of support enables you to build flexible workflows, and choose how your CI/CD pipelines retrieve data.

HashiCorp resources:

• Available authentication methods
• Five best practices for secrets management

Next steps

In this overview of managing CI/CD secrets, you learned that CI/CD pipelines require secure access to sensitive data, such as API keys and credentials, and that you should use a centralized secrets store like HashiCorp Vault. Visit the following documents to learn specifics about CI/CD secret management, along with tool-specific best practices and resources. Manage CI/CD secrets is part of the Secure systems pillar.

• CI/CD anti-patterns
• CI/CD Dynamic and Static secrets
• GitLab
• GitHub Actions
• Jenkins
• CircleCI
• TeamCity