They should test whether untrusted add-ons can directly read credential stores, whether secrets are encrypted at rest, and whether access is mediated by a system vault or equivalent boundary. If a plugin can query keys from a local database, the storage model is not safe enough for live credentials.
Why This Matters for Security Teams
Secret storage is only “safe” when the storage boundary still holds under real developer workflows, including IDE plugins, local agents, build tools, and test harnesses. A database marked encrypted at rest can still be unsafe if an untrusted extension can ask the host process for live keys. That is why current guidance keeps separating storage from access control, as reflected in the OWASP Non-Human Identity Top 10 and NHIMG’s research on secret sprawl. In practice, the weakest point is often not the vault itself but the surrounding developer ecosystem.
NHIMG’s Guide to the Secret Sprawl Challenge shows how fragmented secret handling erodes confidence faster than teams expect, especially when multiple storage systems and ad hoc plugins accumulate around the same project. The question is not whether a secret exists in a protected store, but whether that store can be queried, copied, or surfaced by code the organisation does not fully trust. In practice, many security teams discover this only after a plugin, script, or CI helper has already exposed live credentials.
How It Works in Practice
Judging safety requires testing the entire retrieval path, not just the database or vault configuration. Start with the trust boundary: a safe model keeps secrets behind a service that authenticates the caller, logs access, enforces policy, and returns only what the caller is allowed to receive. A weak model lets local code read a secrets file, query a lightweight database, or call an internal API without meaningful mediation.
That distinction matters because “encrypted at rest” only protects against disk theft. It does not protect against an IDE plugin, malicious dependency, or compromised build step that runs with the user’s privileges. Security teams should verify whether access is mediated by a system vault, whether the secret is exposed only through short-lived session material, and whether retrieval is tied to a specific workload identity rather than a broad user token.
- Check whether untrusted add-ons can call the same secret APIs as trusted tooling.
- Confirm that secrets are not cached in readable local files, environment dumps, or plugin databases.
- Validate that access is logged and time-limited, not merely “encrypted” or “protected by permissions.”
- Test revocation by removing trust from the caller and confirming the secret can no longer be fetched.
NHIMG’s Shai Hulud npm malware campaign and Reviewdog GitHub Action supply chain attack illustrate why secret stores must be evaluated in the context of toolchain abuse, not just direct database compromise. The practical test is simple: if a plugin can query keys from a local database or retrieve them without a vault boundary, the storage model is not safe enough for live credentials. These controls tend to break down in developer desktops and CI runners because both environments mix trusted automation with third-party code execution.
Common Variations and Edge Cases
Tighter secret controls often increase developer friction, requiring organisations to balance safer access boundaries against speed and usability. That tradeoff is real, and best practice is evolving rather than universal. Some teams accept local caching for non-production tokens, but current guidance suggests treating that as a separate risk class from production credentials.
Edge cases usually appear in hybrid setups. A vault-backed design may still be weak if the retrieval token is long-lived, broadly scoped, or reusable across tools. Likewise, secrets encrypted with a local key are not meaningfully protected if the same workstation or container can decrypt them on demand. The question is not whether the secret is “stored securely” in the abstract, but whether compromise of one extension, one shell session, or one pipeline step exposes everything.
NHIMG’s Guide to the Secret Sprawl Challenge and Ultimate Guide to NHIs — Static vs Dynamic Secrets are useful references when evaluating whether a team is actually reducing exposure or only redistributing it. The same scrutiny should apply to containerised dev environments, remote IDEs, and ephemeral CI jobs, where access often looks temporary but still allows broad secret extraction once the runtime is trusted.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses weak secret storage and overexposed retrieval paths. |
| OWASP Agentic AI Top 10 | A2 | Untrusted tooling can behave like autonomous agents with tool access. |
| CSA MAESTRO | Identity and Access | Covers workload identity and runtime secret access for automation. |
| NIST AI RMF | Risk assessment should cover access path exposure and misuse potential. |
Require vault mediation, rotate secrets, and remove direct database-readable credential stores.
Related resources from NHI Mgmt Group
- How should security teams decide whether JIT access is safe for non-human identities?
- How do security teams know whether registry access controls are actually working?
- How do security teams know whether an AI backend is safe to expose publicly?
- How can security teams tell whether NGINX rewrite exposure is actually reduced?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
