Automation Task: Secure Secrets Handling in Pipelines¶
Description¶
Proper techniques to manage secrets in CI/CD pipelines without exposing credentials.
Strategies¶
- Store secrets in GitLab CI/CD Variables (masked + protected)
- Use external secrets manager (e.g., HashiCorp Vault)
- Never commit
.envor secret files
GitLab CI Example¶
deploy:
script:
- echo "$SECRET_TOKEN" > token.txt
only:
- protected
Tips¶
- Use
protectedtag for prod secrets - Rotate secrets regularly
- Restrict variable visibility to limited branches or tags
Tools & Practices¶
- GitLab Variables, dotenv-linter,
gitleaks, Vault, Mozilla SOPS