Static secrets create a reusable attack path into production infrastructure. Once they are copied into workflow files, logs, runner images, or environment variables, a single compromise can expose broad access long after the original job finishes. That is why pipeline secrets should be treated as production identity, not temporary configuration.
Why This Matters for Security Teams
Static secrets turn CI/CD into a reusable identity compromise instead of a single-job risk. Once a token is embedded in workflow code, runner images, cached logs, or environment variables, it can be replayed across environments, exfiltrated quietly, and reused long after the pipeline step has ended. GitGuardian’s The State of Secrets Sprawl 2026 found 59% of compromised machines in a major supply chain attack were CI/CD runners rather than personal workstations, underscoring how often the pipeline becomes the blast radius.
The real issue is not just leakage, but persistence. A static secret has no inherent task boundary, so RBAC alone cannot distinguish legitimate build-time use from later abuse. Current guidance from the OWASP Non-Human Identity Top 10 treats long-lived credentials as a core NHI failure mode because they erase context, weaken accountability, and make revocation reactive instead of automatic. In practice, many security teams discover this only after a runner image, shared workspace, or collaboration tool leak has already been used to reach production.
How It Works in Practice
Safer pipelines treat secrets as short-lived identity, not configuration. That usually means issuing credentials only when a job starts, binding them to the workload identity of the runner, and revoking them as soon as the job completes. In practice, that can be implemented with OIDC federation, workload identity systems such as SPIFFE/SPIRE, or policy-controlled token exchange. The goal is to replace “here is a reusable key” with “here is a task-scoped, auditable assertion that this specific job may perform this specific action.”
This is also where intent-based authorisation matters. Static role maps are too coarse for autonomous or highly automated pipelines, because the same workflow may need to build, test, sign, publish, or query infrastructure under different conditions. Policy-as-code systems can evaluate request context at runtime, but there is no universal standard for this yet, so teams should validate their approach against both OWASP Non-Human Identity Top 10 guidance and emerging agentic governance models such as CI/CD pipeline exploitation case study and Reviewdog GitHub Action supply chain attack.
- Prefer JIT credentials with tight TTLs over permanent API keys.
- Bind access to workload identity, not to a human-managed shared secret.
- Scope each token to a single environment, repository, or deployment action.
- Revoke automatically on job failure, completion, or anomaly detection.
GitGuardian’s 2025 research also found 64% of valid secrets leaked in 2022 are still valid today, which shows why detection without revocation leaves pipelines exposed long after the original commit. These controls tend to break down when runners are persistent, shared across teams, or allowed broad outbound network access because stolen credentials can be replayed before expiry.
Common Variations and Edge Cases
Tighter credential controls often increase pipeline friction, requiring organisations to balance delivery speed against stronger isolation and more frequent token exchange. That tradeoff is especially visible in monorepos, multi-account clouds, and release pipelines that trigger multiple downstream systems. Best practice is evolving here: some teams can move to fully ephemeral credentials, while others still need a hybrid model during migration. The important point is that long-lived static secrets should be the exception, not the default.
There are also edge cases where secret sprawl appears outside the repository itself. GitGuardian reports that 28% of secrets incidents now originate in Slack, Jira, and Confluence, and those incidents are 13% more likely to be critical than code-based leaks. That means securing the pipeline requires protecting build inputs, ticketing metadata, chat transcripts, and deployment artifacts, not just source code. The lesson aligns with NHIMG’s Guide to the Secret Sprawl Challenge and the broader Shai Hulud npm malware campaign, where exposed automation paths became the real entry point.
For teams adopting agentic tooling in pipelines, the stakes rise further because autonomous agents can chain tools, request new access, and act on goals rather than fixed steps. In those environments, current guidance suggests pairing JIT credentials with real-time policy checks and strong workload identity. That is why Ultimate Guide to NHIs — Static vs Dynamic Secrets remains the clearest operational reference for deciding when a secret should exist at all.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Long-lived secrets are a classic non-human identity rotation failure. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access is the main control gap when pipelines reuse static secrets. |
| NIST Zero Trust (SP 800-207) | SC-7 | Zero trust segmentation reduces blast radius when a secret is stolen from CI/CD. |
Replace reusable pipeline secrets with short-lived credentials and enforce automatic rotation or revocation.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
