neart.ai
EcosystemStoryHow We BuildPricingBlog
Try Inspected →
neart.ai
EcosystemStoryHow We BuildBlog

Ní neart go cur le chéile

A SaltCore Group Limited company

© 2026 neart.ai · SaltCore Group Limited. All rights reserved.

Software Quality

How Do You Keep Secrets and Dependencies Secure in a CI Pipeline?

29 November 20254 min read

You keep a CI pipeline secure by treating it as the high-value target it is: **inject secrets at runtime from a managed store rather than committing them, give every job the least privilege it needs, and scan both your dependencies and your pipeline configuration for known risks on every run.** A CI system holds the keys to your production environment and pulls in everyone else's code, which makes it one of the most attacked parts of a modern software stack.


## Why CI Is a Prime Target


Think about what a pipeline can do: it has credentials to deploy to production, push images to registries, and read your source code. It also executes third-party code — your dependencies, your build plugins, the actions and steps you pulled from public marketplaces. Compromise the pipeline and an attacker inherits all of that. Security here is not optional polish; it is protecting the most privileged automation you run.


## Handle Secrets Properly


The cardinal rule: **secrets never live in the repository.** Not in code, not in config files, not in commit history. Instead:


- **Store secrets in a managed secret store** — your CI platform's encrypted secrets, or a dedicated vault — and inject them as environment variables at runtime.

- **Prefer short-lived, scoped credentials.** Use OIDC-based federated identity so the pipeline exchanges a short-lived token for cloud access, with no long-lived key to leak.

- **Scope each secret narrowly.** A deploy key for staging should not be able to touch production.

- **Mask secrets in logs**, and assume anything printed to logs is compromised.

- **Rotate regularly**, and rotate *immediately* if exposure is suspected.


And run a **secret scanner** over your repository and commit history — credentials get committed by accident constantly, and catching them automatically before they merge is far cheaper than rotating leaked keys later.


## Apply Least Privilege Everywhere


A pipeline job should have exactly the permissions it needs and no more:


1. **Scope pipeline tokens tightly.** Many CI defaults grant broad write access; restrict to read-only unless a job genuinely needs to write.

2. **Separate environments.** The job that runs tests on a pull request should not hold production deploy credentials. Gate privileged jobs behind protected branches or manual approval.

3. **Be careful with untrusted input.** Pull requests from forks must not run with access to your secrets, or an attacker can open a PR that exfiltrates them.


## Secure the Software Supply Chain


Most of the code you ship you did not write — it comes from dependencies. Defend that supply chain:


- **Scan dependencies for known vulnerabilities** on every build, and fail or alert on serious ones. Automated dependency-update tooling helps you stay current.

- **Pin versions precisely** with a lockfile so a build is reproducible and a dependency cannot silently change under you. Pin third-party CI actions to a specific commit, not a mutable tag.

- **Generate a software bill of materials (SBOM)** so you know exactly what is in a release when the next widely exploited vulnerability is announced.

- **Verify integrity.** Check checksums or signatures on what you download, so a compromised mirror cannot swap in malicious artefacts.


## Scan Code and Configuration, Not Just Dependencies


Bring security checks into the same pipeline that runs your tests:


- **Static analysis (SAST)** flags risky code patterns before they merge.

- **Infrastructure-as-code scanning** catches misconfigured cloud resources — a public storage bucket — before they are provisioned.

- **Pipeline-config review.** The pipeline definition is code too; a malicious change to it is as dangerous as a malicious change to the application. Require review on pipeline changes.


Fail the build on high-severity findings, and triage the rest rather than letting them pile into noise everyone ignores.


## Build a Sane Policy, Not an Alarm Factory


The failure mode of security scanning is alert fatigue — so many warnings that real ones are missed. Avoid it by setting severity thresholds that block, routing lower findings to a backlog with owners, and tuning out false positives deliberately. A scanner everyone ignores protects nothing. At neart.ai we treat pipeline security as core to building enterprise-grade products, because the integrity of what you ship depends entirely on the integrity of the system that ships it.


## Practical Takeaway


Never commit secrets — inject them at runtime from a managed store, prefer short-lived OIDC credentials, and scope every token to least privilege. Scan dependencies, code, and pipeline configuration on every run, pin versions and third-party actions precisely, and set severity thresholds so real findings block while noise is triaged rather than ignored.

Related posts

Software Quality

How Do You Ship Software Without Regressions?

Software Quality

What Is End-to-End Testing, and When Should You Use It?

Software Quality

What Does WCAG 2.2 Mean for Your Testing Strategy?