Clive Robinson • March 20, 2025 12:38 PM

@ For those “new to the game”

CI/CD Secrets is liberaly spread across the articles, but none explain what they are in layman’s terms.

The first step is to understand what “Continuous Intergration”(CI) “Continuous Development/Deployment”(CD) Pipeline is. Gitlab has a reasonable description at,

https://about.gitlab.com/topics/ci-cd/cicd-pipeline/

However it says nothing about “secrets”

Put overly simply in our modern environments much is “done in the cloud” or in older parlance “across multiple servers” for which “Authorization”(AuthZ) and “Authentication”(AuthN) is required.

At the simplest that is a user has to have “an account” that once would have been a “user name” and was considered “public knowledge”, and “a password” or “passphrase” or other “secret” known only to the user and verifiable by the server.

However when you “automate” things it gets more complicated and it gets to the point where even the user does not know what is used for AuthZ and AuthN as they are “embedded in some way” into the automated pipeline.

It is these that form the basis for “CI/CD Secrets” and whilst they could be “dynamic” and “random” by “challenge and response” or “Zero Knowledge Proof” they generally are “static” and put as “plaintext in files”.

Thus if static “once leaked” anyone who has access to the leak can impersonate the valid user(s).

It’s actually a really bad security design for an automated system and should be replaced with something that is not vulnerable to being recorded and replayed, but still does not need user(s) to be actively involved.

Unfortunately by the way this attack works it can get around the “security advise” given online with articles like,

https://blog.gitguardian.com/handle-secrets-in-ci-cd-pipelines/