Rotation fails when the platform reads secrets before the change takes effect or when overlapping scopes keep old values alive. That is common in queue-time resolution models and in systems with duplicated contexts or variable collisions. Teams should test rotation at the exact point secrets are resolved, not assume that updating a value will affect every active run.
Why This Matters for Security Teams
Secret rotation in CI/CD is not just a hygiene task. It is a timing problem, a scope problem, and often a pipeline design problem. If a runner resolves a secret before the rotation event, the old value can remain usable for the duration of the job, even after the source system has been updated. If duplicate variables, cached environment snapshots, or overlapping contexts exist, rotation may appear successful while stale credentials still work.
This is why NHI Management Group treats rotation as a control that must be validated at the point of consumption, not only at the point of storage. The issue is especially visible in build systems, release automation, and ephemeral runners where secrets are injected late or copied into multiple layers. The OWASP Non-Human Identity Top 10 and the NHIMG Guide to the Secret Sprawl Challenge both reflect the same operational reality: unmanaged secret sprawl turns a simple update into a distributed revocation problem.
The practical risk is that CI/CD failures are often silent. A pipeline does not need to error for rotation to fail; it only needs to continue reading a value that was already materialised elsewhere. In practice, many security teams discover this only after a leaked token is still active in a supposedly rotated workflow, rather than through intentional validation.
How It Works in Practice
Effective rotation in CI/CD depends on understanding where a secret is resolved, how long it lives, and whether the workload has copied it into memory, logs, caches, or downstream jobs. Best practice is evolving toward short-lived, task-scoped credentials rather than long-lived static values. That means rotation should be paired with just-in-time issuance, rapid expiry, and automated revocation when the job completes.
For build and deployment systems, the operational sequence should be explicit: issue a credential, bind it to a single workflow context, use it once, revoke it, and verify that no downstream step can still read the old value. Where possible, use workload identity and token exchange rather than storing reusable secrets in pipeline variables. Standards and implementation guidance from SPIFFE and RFC 8693 support this model because they shift the control point from static secret distribution to runtime identity and delegated token handling.
- Rotate at the point of resolution, not just in the secret store.
- Separate build-time, test-time, and deploy-time identities so one value is not reused across stages.
- Prefer short TTLs and per-job tokens over shared pipeline variables.
- Revoke old credentials automatically and confirm that runners cannot reuse cached copies.
- Test duplicate contexts, matrix jobs, and fan-out steps for variable collision.
NHIMG’s Guide to NHI Rotation Challenges and CI/CD pipeline exploitation case study show why pipeline design matters as much as secret hygiene. These controls tend to break down in queue-time resolution models with shared runners because the secret is already copied into the execution context before rotation can take effect.
Common Variations and Edge Cases
Tighter rotation often increases pipeline complexity, requiring organisations to balance faster revocation against build reliability and developer throughput. That tradeoff is most visible in environments with parallel jobs, reused containers, or third-party actions that inspect environment variables at startup. Current guidance suggests treating those components as separate trust zones, but there is no universal standard for this yet.
One common edge case is a secret that appears rotated in the source vault while the running job still holds the previous value in memory. Another is duplicated configuration, where the same credential exists in repository variables, org-level variables, and runner-local settings. In those cases, updating one store does not invalidate the others. The NHIMG Ultimate Guide to NHIs explains why static secrets remain fragile in these environments, especially when automated workflows clone or propagate values across stages.
Rotation also fails more often when teams rely on detection instead of revocation. A leaked secret that is still valid after rotation is not really rotated. For that reason, validation should include a negative test: prove the old credential cannot authenticate, cannot exchange for a new token, and cannot be reintroduced by a downstream job. When CI/CD systems use long-lived service account keys, artifact signing keys, or shared release tokens, the guidance breaks down because the same credential must remain valid across multiple runs and no single rotation event can safely invalidate every dependency.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers secret lifecycle and rotation failures in non-human identities. |
| NIST CSF 2.0 | PR.AC-1 | Addresses access control and credential governance for pipeline identities. |
| NIST AI RMF | Useful where automated workflows and AI-assisted pipelines manage secrets dynamically. |
Replace shared CI/CD secrets with short-lived NHI credentials and verify old values fail after rotation.
Related resources from NHI Mgmt Group
- How should security teams reduce secret sprawl in CI/CD and agent workflows?
- What breaks when secret rotation is automated but downstream systems are not ready?
- What do teams get wrong about secret rotation in infrastructure code?
- What is the difference between rotating a secret and revoking access?