What Is Secrets Management? Keeping Credentials Out of Code
Secrets management is the discipline of storing credentials securely, handing them to the right process at the right time, and never letting them leak into code or logs.
Every pipeline needs secrets: a token to push an image, a key to deploy, a password to run integration tests. Secrets management is the set of practices and tools that keep those values out of source control, encrypted at rest, scoped to who needs them, and auditable. Done well, it is invisible. Done badly, it is how breaches start.
What counts as a secret
- API keys and access tokens for third-party services.
- Cloud credentials and signing keys.
- Database passwords and connection strings.
- Private keys, certificates, and webhook signing secrets.
The core principles
Good secrets management rests on a few ideas: store secrets encrypted and outside the repo, grant access on a need-to-know basis, rotate values regularly, and audit who read what and when. Secrets should be injected at runtime, never committed.
How CI consumes secrets
Most CI systems offer an encrypted store (GitHub Actions secrets, GitLab CI variables) that injects values as environment variables or files at job start. The platform masks them in logs so they do not print accidentally. The job uses the secret, then the environment is destroyed.
Common mistakes
The classic failures are hardcoding a key in a config file, echoing a secret to the logs, passing it as a command-line argument visible in ps, or granting a token far more scope than the job needs. Each one widens the blast radius if something goes wrong.
Reducing the need for stored secrets
The strongest move is to store fewer long-lived secrets at all. Short-lived tokens minted per job via OIDC remove the standing credential entirely, so there is nothing durable to leak.
Secrets and the runner
A secret is only as safe as the machine that handles it. On a shared, long-lived runner, a leaked or lingering secret can be read by the next job. Isolated, ephemeral runners (such as Latchkey managed runners) destroy the environment after every job, so secrets never outlive the work that needed them.
Key takeaways
- Secrets management keeps credentials encrypted, scoped, rotated, and out of code.
- CI injects secrets at runtime and masks them in logs, then tears the environment down.
- Short-lived tokens and ephemeral runners shrink how long any secret can be abused.