Subscribe to the Non-Human & AI Identity Journal

Why do GitHub Actions and GitLab CI/CD create different secrets risks?

GitHub Actions tends to fragment secrets across many repositories and environments, while GitLab CI/CD can cascade values through inheritance in ways that are harder to reason about. The risk profile changes because one model multiplies copies and the other multiplies precedence rules. Both require disciplined lifecycle control.

Why This Matters for Security Teams

CI/CD secrets risks are not uniform across platforms. GitHub Actions and GitLab CI/CD both expose credentials to automation, but they do it through different control planes, inheritance models, and execution boundaries. That means the same secret can become a replication problem in one system and a precedence problem in the other. Security teams that treat both as interchangeable often miss where the real exposure occurs.

The practical issue is not just leakage, but lifecycle control. In GitHub-style workflows, secrets can be duplicated across repositories, environments, and reusable actions. In GitLab-style pipelines, inherited variables can flow through parent-child configurations and override paths that are difficult to reason about during review. Current guidance from the OWASP Non-Human Identity Top 10 and the NIST Cybersecurity Framework 2.0 points to least privilege, inventory, and continuous review, but the implementation details differ materially by platform.

NHIMG’s analysis of secrets sprawl shows why this matters operationally: in 2025, GitGuardian found 4.6% of public GitHub repositories contained at least one hardcoded secret, which reflects how fast credential exposure scales once automation starts copying values across workflows.

In practice, many security teams discover the blast radius only after a build token or cloud credential has already been reused in places no reviewer expected.

How It Works in Practice

GitHub Actions usually creates risk through distribution. Secrets are commonly scoped at the repository, organization, or environment level, then pulled into jobs at runtime. That model is straightforward until teams start reusing workflows, cloning templates, or granting broad environment access. The more places a secret is defined, the harder it becomes to know which workflow can actually read it.

GitLab CI/CD tends to create risk through inheritance and precedence. Variables can be defined at the instance, group, project, pipeline, job, and environment levels, and later definitions can override earlier ones. That flexibility is powerful, but it can also hide the effective value a job will receive. Reviewers may approve a YAML file without seeing that a parent group variable or masked pipeline variable changes the final secret presented to the runner.

  • Inventory every secret source, including inherited variables and environment-scoped values.
  • Prefer short-lived credentials over static secrets wherever the platform and target system allow it.
  • Restrict reusable workflows and shared templates to known trust boundaries.
  • Track which runner class can access each secret, not just which repo can reference it.
  • Automate revocation when a pipeline credential is rotated or suspected exposed.

For implementation patterns, NHIMG recommends pairing platform controls with workload identity and dynamic secret issuance, as described in the Ultimate Guide to NHIs — Static vs Dynamic Secrets and the CI/CD pipeline exploitation case study. That means using ephemeral, task-bound credentials where possible, then binding issuance to the runner identity and job context rather than storing long-lived tokens in project settings.

These controls tend to break down when organisations rely on shared self-hosted runners with broad network reach because the runner becomes the concentration point for both secret retrieval and lateral movement.

Common Variations and Edge Cases

Tighter CI/CD secret controls often increase pipeline friction, requiring organisations to balance deployment speed against reduced credential exposure. That tradeoff is real, especially where release engineering teams rely on nested templates, cross-project triggers, or monorepo builds.

GitHub Actions becomes especially risky when organizations assume environment protection equals secret protection. A protected environment may still be reachable by many workflows, and secret reuse across repositories can make rotation look complete while leaving stale copies behind. GitLab CI/CD, by contrast, can become brittle when variable precedence is poorly documented. A masked variable in one layer does not guarantee the final job sees that value if another layer overrides it.

There is no universal standard for this yet, but current guidance suggests treating CI/CD secrets as workload identities, not as convenience strings. That approach aligns with the 52 NHI Breaches Analysis and the Reviewdog GitHub Action supply chain attack, both of which show how quickly automation can amplify a single exposed credential into a broader compromise.

The hardest edge case is cross-platform parity: a control that works in GitHub, such as environment-based approvals, may not map cleanly to GitLab’s inheritance model. Teams should validate the effective secret path in each pipeline rather than assume policy names mean the same thing across platforms.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Secret rotation and lifecycle control are central to CI/CD pipeline risk.
NIST CSF 2.0 PR.AC-4 Least privilege access is needed to limit which jobs can retrieve secrets.
NIST CSF 2.0 ID.AM-1 Inventory is required to track distributed and inherited CI/CD secrets.

Maintain a complete inventory of secret sources, scopes, and consumers across pipelines.