Secrets sprawl in CI/CD pipelines: what should teams fix first?

TL;DR: Secrets concentrate in CI/CD pipelines because they gate production access, scale automation, and spread trust across engineering teams, while GitGuardian reports 23 million more leaked secrets from 2023 to 2024 and 70% of 2022 leaks still active in 2025. The real problem is not storage alone but the assumption that long-lived secrets remain governable once pipelines become the access layer for everything else.

NHIMG editorial — based on content published by Defakto Security: CI/CD Want Control Over Secrets? Start with Your Strategic Control Point: CI/CD

By the numbers:

• The number of leaked secrets increased by 23 million (+25%) from 2023 to 2024.

Questions worth separating out

Q: How should security teams reduce secrets sprawl in CI/CD pipelines?

A: Start by mapping where pipeline credentials are created, copied, and reused, then remove the ones that exist only because the workflow was designed around static secrets.

Q: Why do CI/CD pipelines create such a large secrets risk?

A: CI/CD pipelines sit at the gateway to production, so they naturally hold the credentials needed to deploy, configure, and connect systems.

Q: What do security teams get wrong about secrets managers?

A: They often treat a secrets manager as a complete fix when it is really a containment layer.

Practitioner guidance

• Inventory pipeline-exposed credentials Map every API key, password, and token used by CI/CD systems to the exact deployment step, owner, and downstream system it enables.
• Replace shared secrets with workload identity Move build and deployment steps to short-lived, attested identities so the pipeline authenticates without copying long-lived credentials into repositories, runners, or environment files.
• Consolidate pipeline governance centrally Use the CI/CD platform as a single enforcement point for secret discovery, rotation policy, and access review so multiple engineering teams inherit the same control baseline.

What's in the full article

Defakto Security's full article covers the operational detail this post intentionally leaves for the source:

• How the vendor frames CI/CD as the practical gateway to production access and where it sees the greatest leverage for change
• The stepwise rationale for replacing long-lived secrets with identity-first infrastructure in build and deployment workflows
• The operational trade-offs the vendor associates with secrets managers, including where they help and where they leave exposure in place
• The culture-change argument for rolling out identity-first controls through central pipeline teams rather than one engineering team at a time

👉 Read Defakto Security's analysis of CI/CD pipelines and secrets sprawl →

Secrets sprawl in CI/CD pipelines: what should teams fix first?

Explore further

View Full Forum →  |  NHI Foundation Course →