CI/CD pipelines often rely on credentials such as API keys, SSH keys, cloud tokens, or service account secrets to fetch dependencies, deploy artifacts, or interact with external services. Insufficient credential hygiene arises when these secrets are hard-coded in configuration files, stored in plaintext, over-privileged, or left unrotated. An adversary who gains access to the pipeline environment (e.g., via logs, cache, or a compromised job) can extract these credentials and pivot into sensitive systems, leading to source code theft, supply chain attacks, or full infrastructure compromise.

Remediation

• Store credentials in a secure secret management system (e.g., HashiCorp Vault, AWS Secrets Manager, Kubernetes Secrets) instead of embedding them in pipeline code or environment variables.
• Apply least-privilege to all credentials — scope keys/tokens only to the actions required for that pipeline stage.
• Rotate credentials regularly and revoke them immediately if exposure is suspected.
• Avoid logging or exposing secrets; enable secret masking features in CI/CD platforms to prevent leaks in logs.
• Use ephemeral credentials (short-lived tokens or OIDC-based workload identity) instead of long-lived static keys.
• Monitor for unused, stale, or over-privileged credentials in pipeline environments.