Software Development

Best practices for securing Secrets like API keys in a public GitHub CI CD pipeline?

JA Asked by Jason Bennett · 12-01-2025
0 upvotes 9,557 views 0 comments
The question

I am setting up a CI/CD pipeline for a public open-source project on GitHub, and I need to use sensitive API keys for our integration tests. I am terrified of accidentally committing these credentials to the repository or having them exposed in the build logs. What is the most secure way to manage secrets in GitHub Actions or similar tools? I've heard about "Environment Secrets," but are they enough to prevent a contributor from maliciousy printing them out during a Pull Request?

 

3 answers

0
ME
Answered on 14-01-2025

For public repositories, you must use GitHub "Actions Secrets" combined with "Environments." Environments allow you to require manual approval from a maintainer before any secrets are injected into a workflow triggered by a Pull Request from a fork. This prevents a random contributor from adding echo $SECRET to a script and stealing your keys. Additionally, GitHub automatically masks secrets in the logs, replacing them with asterisks. However, for maximum security, consider using a dynamic secret provider like HashiCorp Vault or AWS Secrets Manager to generate short-lived credentials. 

0
BR
Answered on 16-01-2025

Have you looked into using "OpenID Connect" (OIDC) so that you don't have to store long-lived cloud credentials in GitHub at all? 

WI 17-01-2025

Brian, OIDC is a game changer. Instead of storing an AWS_SECRET_ACCESS_KEY, GitHub can request a short-lived token directly from AWS using a trusted relationship. This means even if your GitHub account was somehow compromised, there are no static passwords to steal. It significantly reduces the "blast radius" of a potential security breach. I highly recommend checking out the official GitHub documentation on configuring OIDC with cloud providers.

0
KA
Answered on 20-01-2025

Always use .gitignore for local testing and never, ever hardcode keys. Use Environment variables locally and Secrets in the cloud. Simple but effective. 

JA 21-01-2025

Great advice, Karen. I'd also add that using a tool like "trufflehog" in your pipeline can scan your commits to make sure no one accidentally bypassed the .gitignore file.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session