NIST Cybersecurity Framework 2.0 is useful for mapping identify, protect, detect, respond, and recover activities to pipeline credentials. The OWASP Non-Human Identity Top 10 is also relevant because CI/CD secrets are machine identities with lifecycle, scope, and exposure risks.
Why This Matters for Security Teams
CI/CD secrets are not just configuration values. They are machine credentials that can unlock source code, artifact stores, cloud environments, and deployment systems. That makes them a governance problem, not only a storage problem. NIST Cybersecurity Framework 2.0 helps teams map identify, protect, detect, respond, and recover activities to pipeline credentials, while the OWASP Non-Human Identity Top 10 treats those secrets as identities with lifecycle, scope, and exposure risks.
The reason this matters is simple: leaked pipeline secrets are often reusable, long-lived, and overprivileged. GitGuardian’s The State of Secrets Sprawl 2026 reports that 64% of valid secrets leaked in 2022 are still valid and exploitable today, which shows why detection without revocation is an incomplete control. The issue becomes more serious when pipeline credentials are copied into runners, build logs, issue trackers, or chat tools. NHI Management Group’s Guide to the Secret Sprawl Challenge frames this as an identity lifecycle problem, which is the right lens for security teams trying to reduce blast radius.
In practice, many security teams discover CI/CD secret exposure only after a runner compromise or leaked token has already been used to pivot into production.
How It Works in Practice
The most effective governance approach combines framework mapping with operational controls. NIST CSF 2.0 gives security leaders a common structure for assigning ownership across asset inventory, access control, monitoring, incident response, and recovery. The OWASP NHI guidance adds the missing detail: each secret should be treated as a non-human identity with a defined purpose, scope, issuer, rotation rule, and revocation path. That means teams should catalogue where the secret is used, whether it is injected into build jobs or stored in a vault, and what downstream systems it can reach.
In practical terms, a mature CI/CD secret program usually includes:
- Inventory of all pipeline secrets, including service account keys, API tokens, signing keys, and deployment credentials.
- Short-lived credentials where possible, rather than static secrets embedded in repository variables or runner images.
- Automated rotation and revocation tied to detection, pipeline completion, and employee or service changes.
- Policy checks that block hardcoded secrets from entering source control or build logs.
- Segregation of build, test, and production credentials so compromise in one stage does not expose the rest.
The NHI lens is especially useful because it connects secret governance to identity behavior. The Ultimate Guide to NHIs - Static vs Dynamic Secrets explains why dynamic credentials reduce standing exposure, while the CI/CD pipeline exploitation case study shows how attackers target runners, build scripts, and artifacts after initial access. For implementation detail, teams should align secret handling with NIST Cybersecurity Framework 2.0 and then enforce OWASP NHI principles in the pipeline itself.
These controls tend to break down in multi-repo environments with shared runners and legacy deployment jobs because secret sprawl makes ownership and revocation slow.
Common Variations and Edge Cases
Tighter secret governance often increases pipeline friction, so organisations must balance developer velocity against exposure reduction. That tradeoff is real, especially in fast-moving delivery teams where every build step expects immediate credential access. Current guidance suggests using the least permissive secret format available, but there is no universal standard for how aggressively to replace static CI/CD secrets in every environment.
Edge cases often appear in places security teams do not initially classify as code. GitGuardian’s 2026 research notes that 28% of secrets incidents now originate outside repositories, particularly in Slack, Jira, and Confluence, and those incidents are more likely to be critical. That makes governance broader than repository scanning. It also means detection, ticketing, and chat integrations need the same controls as source control. In addition, NHI Management Group’s 52 NHI Breaches Analysis is useful context for teams trying to understand how often identity reuse and weak lifecycle management turn a single exposure into a wider incident.
Another common exception involves build systems that must sign artifacts or authenticate to multiple clouds. In those cases, framework alignment still helps, but implementation may need workload-specific design choices such as per-job tokens, external secret brokers, or federated identity. Best practice is evolving, and teams should avoid treating a long-lived shared token as acceptable just because the pipeline is “internal.” The safest path is to align governance to identity lifecycle first, then decide where static secrets remain unavoidable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Covers identity and access control for pipeline credentials. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses secret rotation and lifecycle management for non-human identities. |
| NIST CSF 2.0 | DE.CM-8 | Relevant to detecting secret exposure and credential misuse in pipelines. |
Map CI/CD secrets to PR.AC-1 and enforce least privilege with clear ownership and access review.
Related resources from NHI Mgmt Group
- What frameworks help teams govern secrets and workload credentials?
- How should organisations govern passwords, passkeys, and secrets together?
- How should security teams govern secrets used across Pulumi stacks and pipelines?
- How should security teams govern Ansible playbooks that retrieve secrets from a vault?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org