In the modern software development environment, automation via CI/CD pipelines has become standard. But with increasing speed comes increased risk, especially regarding the security of API keys and other sensitive secrets .
In this article, we’ll look at how credential leaks occur in DevOps pipelines and best practices for protecting against them , with real-world examples and practical advice.
What is an API Key Leak in CI/CD?
An API key leak occurs when a sensitive credential is accidentally exposed in an insecure context: logs, configuration files, commits, or build artifacts.
In the context of CI/CD (Continuous Integration / Continuous Deployment), these leaks are often the result of misconfigured pipelines , where environment variables or files containing secrets are not handled correctly.
Common Causes of API Key Leaks
1. Environment Variables Printed in Logs
A common mistake is to directly print variables to pipeline logs:
- name: Stampare variabile (NON SICURO)
run: echo "API_KEY=${{ secrets.API_KEY }}"These logs may be publicly accessible or retained for too long, becoming a risk.
2. Accidental Commits of Sensitive Files
Many leaks occur because of commits containing:
.envconfig.jssecrets.yaml
Even with .gitignore, human errors or git add -fcan force the addition of dangerous files.
3. Contaminated Artifacts and Builds
Generated files (e.g. .zip, .tar.gz, Docker containers) may contain:
Embedded token
Incorrect configurations
Logs with exposed secrets
An attacker who downloads these files can easily extract the keys.
4. Access Tokens with Excessive Permissions
It’s common to generate tokens with administrative permissions used in pipelines for convenience. But if that token is compromised, an attacker can:
Edit the code
Access cloud systems
Create additional backdoors
How to Protect Secrets in CI/CD
1. Masking Variables in Logs
Systems like GitHub Actions or GitLab CI allow you to mark secrets as “masked” to prevent them from being printed in logs.
2. Using External Secret Managers
Examples:
GitHub Actions Secrets
AWS Secrets Manager
Doppler
Azure Key Vault
- HashiCorp Vault
Avoid saving secrets directly in the repository or in clear text in .yaml.
3. Automatically Scan for Secrets in the Code
Recommended tools:
Integrate these tools directly into your CI flow to scan every push.
4. Regular Rotation of Secrets
Establish policies to rotate keys periodically , as part of the security cycle.
5. Set Permissions
Apply the principle of least privilege :
A secret for every purpose
Limited scopes
No unnecessary permissions
Real-World Case Study: Cryptocurrency Mining on the AWS Cloud
In 2024, an AWS key was exposed in a GitHub Actions log. In less than 12 hours, an automated bot used the key to launch EC2 instances and mine cryptocurrency, generating over €300 in cloud spending .
These attacks are often automated: bots monitor public platforms like GitHub in real time for exposed secrets.
Final Checklist: CI/CD Security
Never print secrets in logs
Use secret management tools
Scan every commit for exposed secrets
Restrict token permissions
Rotate secrets periodically
Clean up artifacts and public builds
Conclusion
Secret leaks through CI/CD are among the most insidious vulnerabilities because they don’t stem from a bug in the code , but from poor operational practices. Investing in pipeline security is essential to protecting modern applications.
