IntermediatePhone
2 min
Secrets Management in CI/CD
SecurityCI/CDDevOps
Advertisement
Interview Question
What are best practices for managing secrets (API keys, tokens) in CI/CD pipelines?
Key Points to Cover
- Use secret managers or CI secret stores (not plain env files)
- Limit scope/TTL; rotate regularly; least privilege
- Avoid printing secrets; enable masking and audit
Evaluation Rubric
Recommends secure storage/manager40% weight
Explains rotation/least privilege35% weight
Mentions masking/audit practices25% weight
Hints
- 💡HashiCorp Vault, AWS Secrets Manager, GitHub Actions secrets.
Common Pitfalls to Avoid
- ⚠️Storing secrets directly in source control (e.g., Git repositories), even in private repos.
- ⚠️Hardcoding secrets into application code or configuration files instead of using a secret manager.
- ⚠️Using plain, unencrypted environment variables without robust platform-level protection for secrets in production CI/CD.
- ⚠️Failing to rotate secrets regularly or having overly long Time-To-Live (TTL) for credentials.
- ⚠️Printing secrets to logs or build outputs, making them visible to anyone with access to pipeline execution records.
Potential Follow-up Questions
- ❓How do you handle PR builds from forks?
- ❓What is OIDC for cloud creds?
Advertisement