CI/CD Security Best Practices [Cheat Sheet]

In this 13 page cheat sheet we'll cover best practices in the following areas of the CI/CD pipeline: Infrastructure security, code security, secrets management, access and authentication, monitoring and response.

Secrets Detection: A Fast-Track Guide

Secrets detection is the process of identifying and managing sensitive information like API keys, passwords, and tokens within codebases to prevent unauthorized access and data breaches.

6 minutes read

What is secrets detection?

Secrets detection is the process of identifying and managing sensitive information like API keys, passwords, and tokens within codebases to prevent unauthorized access and data breaches. 

Every time a developer pushes code to GitHub or GitLab, there's a lurking danger: hard-coded secrets. Whether it's an API key, a password, or an access token, these hidden vulnerabilities can slip into repositories, leaving you exposed. It's not just in the code; secrets can hide in configuration files or even within cloud environments like AWS, Azure, or GCP. One accidental commit, and you're handing over the keys to your kingdom.

As developers, we're dealing with sensitive information every day, and with cloud-native apps running the show, the margin for error has shrunk. The question isn't whether secrets will end up in your codebase but how quickly you'll detect them before they're exploited.

In this article, we'll walk you through the most common types of secrets that can slip through the cracks, the risks you're taking by ignoring them, and how the right detection tools can save you from a catastrophic breach. We'll also show you how to weave secrets detection into every workflow phase—from initial development to deployment—so you can focus on building software without leaving your security to chance.

Secret types and associated risks

We often deal with a variety of secrets in our day-to-day development work. Here's a breakdown of the most common types, which can be used as a checklist for scanning:

  • API keys: To access third-party services, you need API keys. If exposed, they could allow unauthorized users to interact with external services, potentially leading to privilege escalation or data loss.

  • Database credentials: The backbone of any secure system, database credentials can lead to data theft or even system-wide breaches if compromised.

  • Encryption keys: If encryption keys are exposed, the privacy and integrity of encrypted data could be compromised, allowing attackers to decrypt and steal data.

  • Access tokens: Because these are used to authenticate users and services, exposed tokens may enable attackers to pose as valid users, granting them unauthorized access.

  • Passwords: Hard-coded passwords in code or config files are common but disastrous, exposing entire systems to external threats. Remember: Even automated system passwords must be secured.

Exposing secrets in our codebases can lead to severe repercussions, ranging from data breaches to financial losses and reputational damage. The cost of incident response, combined with potential legal penalties, can devastate an organization. In addition to the direct financial consequences, leaked credentials can undermine customer trust and damage long-term brand loyalty.

Some notable incidents highlight the consequences of exposing secrets:

  • Uber data breach (2016): Uber suffered a breach when attackers accessed one of its private repositories on GitHub, ultimately finding AWS credentials that allowed them to steal data on 57 million riders and drivers. The company faced significant fines due to their failure to disclose the breach promptly and for paying a ransom to conceal it.

  • Toyota GitHub leak (2022): Toyota accidentally exposed a secret key publicly on GitHub for five years, which could have allowed unauthorized access to critical services like remote engine starting. This incident is a cautionary tale of how long-term exposure can go unnoticed, leading to significant vulnerabilities.

How secrets detection tools work

The process of secrets scanning typically begins with an initial scan of codebases. This scan identifies existing hard-coded secrets and other sensitive information. After the initial scan, continuous scanning (especially within CI/CD pipelines) is critical for catching new secrets before they make it to production.

Secrets detection tools leverage a combination of pattern matching, regular expressions, and machine learning to detect potential secrets within codebases. Pattern matching allows these tools to identify common secrets formats like API keys or access tokens based on predefined patterns. However, advanced tools also employ machine learning to catch potential secrets that don't conform to standard patterns—offering greater accuracy in detecting secrets leaks with minimum false positives.

Alerting and reporting are crucial components of any detection tool. Real-time alerts help you respond to potential issues as they arise, providing actionable insights for remediation. Without practical steps for mitigation, secrets detection becomes just another noisy tool.

Integrating secrets detection into a broader security strategy

Now that we've covered the essentials of secrets detection, let's explore how you can incorporate these practices into a comprehensive security strategy, ensuring that your code, configurations, and cloud services stay secure at every stage of development and deployment.

Development phase: Source code repositories

During development, secrets are often hardcoded into the project’s Git repository. Tools like pre-commit hooks can scan repositories like GitHub or GitLab, identifying secrets in code before they make it into version control. By integrating scanning at this stage, you can prevent both public and private repositories from becoming a source of vulnerabilities.

Figure 1: Secrets detection as part of pre-commit hook (Source: OWASP)

Deployment phase

In the deployment phase, leaving sensitive information in configuration files is a common threat vector. That’s why secrets detection tools should be configured to scan both files and environment variables to ensure no secrets are exposed during this stage.

CI/CD pipelines are another critical area where secrets are often leaked. Best practices like using secrets management tools and securely handling environment variables can prevent leaks during automated builds and deployments.

Figure 2: Secrets management in Jenkins with Azure Key Vault (Source: Jenkins)

Post-deployment: Cloud environments

Once deployed, secrets must be carefully managed within cloud environments (AWS, Azure, GCP, etc.). Scanning tools should continuously monitor cloud infrastructure, detecting exposed secrets and ensuring proper access control. Tools like Wiz excel at securing secrets across cloud environments. For example, the Wiz platform can detect misconfigurations in cloud infrastructure and prevent secrets from being exposed before they lead to security incidents.

A holistic approach to security

Secrets detection is a critical piece of a larger security puzzle. By integrating secrets detection tools into a broader security strategy, we can reduce the risk of lateral movement within compromised systems. Combining secrets detection with other security tools like cloud security posture management (CSPM) and cloud infrastructure entitlement management (CIEM) ensures that secrets are protected throughout the entire development lifecycle.

Top secrets detection tools

In this section, we'll explore the top tools available for secrets detection, highlighting their key features and how they fit into different development workflows so you can choose the best solution for your project's security needs.

Wiz

Wiz is an all-in-one cloud security platform designed to protect not just secrets but also to detect misconfigurations and potential vulnerabilities within cloud environments.

Wiz’s secrets detection capabilities span the entire software development lifecycle, ensuring that sensitive information, like API keys, passwords, and tokens, is not exposed at any stage — from the initial code commit to the cloud deployment. 

By leveraging Wiz Code and Wiz Cloud, Wiz ensures comprehensive protection of secrets across your entire environment. It offers deep integration across cloud infrastructures, making it ideal for enterprises looking for an end-to-end security solution.

Key features

  • Code Scanning: Wiz Code scans source code repositories and CI/CD pipelines to detect hardcoded secrets, such as API keys, passwords, and access tokens, before they reach production environments.

  • Cloud Environment Scanning: The platform also scans cloud resources, including virtual machines, containers, and serverless functions, to identify secrets that may have been inadvertently deployed.

  • Data Storage Scanning: Wiz extends its secret detection capabilities to various data storage locations, including cloud storage buckets and databases.

  • Security Graph Integration: Detected secrets are incorporated into Wiz's Security Graph, allowing for context-aware risk assessment and attack path analysis.

  • Code-to-Cloud Mapping: Wiz correlates secrets found in code with those detected in cloud environments, providing a complete picture of secret exposure throughout the development lifecycle.

GitGuardian

GitGuardian specializes in detecting secrets within code repositories, both public and private. Its core focus is helping developers and enterprises prevent secrets from leaking into places like GitHub, where they could be exploited by attackers.

Key features

  • Automatic scanning of public and private repositories

  • Detailed reporting and alerting mechanisms

  • Integration with CI/CD pipelines and developer tools

  • Enterprise-grade management dashboards for team-based collaboration

Spectral

Spectral is an AI-powered secrets detection tool that integrates directly into DevOps pipelines. Its primary focus is developer-first security, ensuring that secrets are caught before they are committed to the codebase.

Key features

  • AI-powered detection for enhanced pattern recognition

  • Seamless integration with CI/CD pipelines

  • Fast scans with low overhead, designed for developer productivity

  • Comprehensive support for multiple programming languages and environments

Gitleaks

Gitleaks is an open-source tool designed to scan Git repositories for hard-coded secrets. It's lightweight, simple to use, and ideal for smaller teams or individual developers looking for a basic but effective detection tool.

Key features

  • Scans local and remote Git repositories for secrets

  • Configurable with custom rules for detecting custom secrets

  • Easy setup and minimal system requirements

  • Support for scanning private repositories

Conclusion

In today's cloud-native world, protecting secrets is no longer optional—it's a critical element of modern cybersecurity. From API keys to access tokens, secrets detection should be a part of every developer's workflow. It’s essential to integrate secrets detection tools into a broader security strategy, ensuring they work hand-in-hand with other security measures like CSPM and CIEM.

If you're looking for a comprehensive solution that prioritizes your secrets detection needs, Wiz offers an advanced platform that integrates seamlessly into your existing infrastructure. Explore a demo of Wiz today and see how easy it is to protect your sensitive information and secure your cloud environments!

Fix and Find Exposed Secrets

Learn why CISOs at the fastest growing companies rely on Wiz to prevent risks from reaching production.

Get a demo 

Continue reading

CSPM in AWS

Wiz Experts Team

In this article, we’ll discuss typical cloud security pitfalls and how AWS uses CSPM solutions to tackle these complexities and challenges, from real-time compliance tracking to detailed risk assessment.

What is Data Flow Mapping?

In this article, we’ll take a closer look at everything you need to know about data flow mapping: its huge benefits, how to create one, and best practices, and we’ll also provide sample templates using real-life examples.

What are Data Security Controls?

Wiz Experts Team

Data security controls are security policies, technologies, and procedures that protect data from unauthorized access, alteration, or loss

Securing Cloud IDEs

Cloud IDEs allow developers to work within a web browser, giving them access to real-time collaboration, seamless version control, and tight integration with other cloud-based apps such as code security or AI code generation assistants.