Subscribe to the Non-Human & AI Identity Journal

What should organisations do when a secret is found in a pipeline?

They should invalidate the credential, review the pipeline account that used it, and check for other copies in logs, artifacts, and environment variables before the old value can be reused. If the secret still works anywhere, the exposure is still active.

Why This Matters for Security Teams

A secret found in a pipeline is not just a hygiene issue. It is evidence that a credential has escaped its intended control boundary and may already be usable across build systems, artifact stores, logs, and downstream environments. Current guidance from the OWASP Non-Human Identity Top 10 treats exposed non-human credentials as an access problem, not a code-quality problem. That distinction matters because the blast radius often extends beyond the one pipeline that revealed it.

NHI Management Group’s Ultimate Guide to NHIs notes that 91.6% of secrets remain valid five days after the target organisation is notified, which shows how often exposure remains active long after discovery. In practice, many security teams encounter secret reuse only after the leaked value has already been copied into another job, branch, or integration, rather than through intentional review.

How It Works in Practice

The first response should be containment. Invalidate the credential immediately, then trace where the pipeline account used it and what the secret could reach. That includes build logs, CI variables, artifact metadata, container layers, test output, deployment manifests, and any external service that may have accepted the secret before revocation. If the credential belonged to a service account, API key, or token tied to a workload, review the identity behind it as well as the secret value itself.

This is where NHI governance and pipeline security overlap. The NHI lifecycle is not complete until discovery, revocation, and replacement are all handled together. The Ultimate Guide to NHIs — Static vs Dynamic Secrets is useful here because static secret tend to persist in multiple places, while dynamic secret reduce the chance that one leak becomes long-lived access. For implementation detail, the OWASP guidance lines up with common remediation steps: rotate, revoke, scope down, and verify no surviving copies remain.

  • Revoke the secret at the source before assuming the pipeline leak is over.
  • Review the pipeline identity, not just the secret string, to see what actions were possible.
  • Search logs, artifacts, environment variables, caches, and IaC state for copies.
  • Replace the secret and confirm the old value fails everywhere before closing the incident.

If the pipeline used a token for a third-party service, check whether that service supports immediate revocation, audit logging, and replay detection. Case studies such as the CI/CD pipeline exploitation case study and the Guide to the Secret Sprawl Challenge show why sprawl makes a single discovery turn into a multi-system incident. These controls tend to break down when secrets are embedded in immutable images or cached job outputs because revocation stops future use but not previously distributed copies.

Common Variations and Edge Cases

Tighter secret handling often increases operational friction, requiring organisations to balance rapid revocation against pipeline uptime and developer experience. That tradeoff becomes visible when a build depends on long-lived credentials that are difficult to replace without breaking releases. Current guidance suggests moving toward short-lived credentials and automated issuance, but there is no universal standard for every toolchain yet.

Edge cases also matter. A secret found in a pull request comment is different from one found in a container image, because the latter may already be published and reused across environments. A secret in a shared runner can indicate broader exposure than a secret in a single job, especially if the runner has access to caches or release permissions. The same applies when the leaked value is a low-privilege token: it still needs revocation, because attackers often chain weak access into broader compromise. NHI Management Group’s 52 NHI Breaches Analysis and the Reviewdog GitHub Action supply chain attack both illustrate how quickly pipeline exposure can spread once a secret reaches logs or automation artifacts.

For that reason, teams should treat remediation as both a credential event and an investigation into secret propagation. Where possible, adopt secret scanning gates, ephemeral credentials, and least-privilege service accounts so future exposures are shorter-lived and easier to contain.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Secret exposure demands immediate revocation and rotation control.
NIST CSF 2.0 PR.AC-4 Pipeline secrets are access credentials that must be limited and reviewed.
NIST AI RMF Secret exposure in automated workflows is a lifecycle risk needing governance.

Establish incident handling and accountability for leaked machine credentials across the AI and CI lifecycle.