HashiConf The full conference agenda's now LIVE. Buy your pass and plan your schedule. Register
Well-Architected Framework
Well-Architected Framework Home

Anti-patterns

Authentication and secrets management are critical components of any CI/CD system, but organizations inadvertently introduce security risks by adopting anti-patterns around authentication and secrets. These pitfalls can lead to compromised credentials, exposed data, or hijacking of the CI/CD pipeline itself, undermining the integrity of the entire software delivery process.

Vault can help you avoid these common authentication and secrets management anti-patterns in your CI/CD pipelines.

Hard-coded secrets

Your CI/CD pipeline should not contain hard-coded secrets, nor should the code that your pipeline runs. Refer to the Common Weakness Enumeration (CWE) on the use of hard-coded passwords for more information: [CWE-259].

The following are common examples of hard-coded secrets:

  • API keys embedded in source code
  • Database passwords in configuration files
  • Certificates stored in repositories

Hard-coded secrets creates several security risks:

  • Data exposure: Secrets visible in code repositories
  • Unauthorized access: Anyone with code access can use credentials
  • Difficult rotation: Hard to change secrets across multiple locations
  • Audit challenges: Hard to track secret usage

HashiCorp offers platform-independent solutions to address hardcoded secrets in CI/CD pipelines. HashiCorp Vault provides a centralized secrets management system that works across different platforms and environments, enabling secure storage and retrieval of sensitive data without embedding credentials directly in code.

HCP Vault Radar serves as an automated detection tool that scans codebases to identify unmanaged secrets, helping security teams proactively discover and remediate hardcoded credentials before they become security vulnerabilities.

HashiCorp resources:

Hard-coded authentication

Storing Vault authentication tokens or passwords in your code repository creates the same vulnerabilities as hard-coded secrets. Refer to the Common Weakness Enumeration (CWE) on use of hard-coded credentials for more information: [CWE-798].

The following are common examples of hard-coded authentication:

  • Vault tokens in environment variables
  • Authentication credentials in CI/CD variables (unencrypted)

Hard-coded authentication create several security risks:

  • Token theft: Exposes token to unauthorized access
  • Privilege escalation: Stolen tokens may have excessive permissions
  • No audit trail: Difficult to track who used what credentials

Users or processes should instead use a secure authentication method, such as JWT/OIDC, or an external authentication method for dynamic authentication with a lifecycle policy.

HashiCorp resources:

Lack of revocation or rotation

When you fail to revoke or rotate (change) keys, tokens, certificates, or other credentials, you leave the pipeline vulnerable to exploitation through the anti-pattern of long-lived secrets. Refer to the CWE on the use of a key past its expiration date for more information: [CWE-324].

The following are common examples of a lack of revocation or rotation:

  • Credentials that never expire
  • No rotation schedule
  • Manual rotation processes
  • Forgotten or orphaned credentials

Lack of revocation or rotation creates several security risks:

  • Extended exposure: Compromised credentials remain valid indefinitely
  • Compliance violations: Many standards require regular rotation
  • Increased attack surface: More time for attackers to exploit credentials

You should establish a time-to-live policy for credentials and configure your CI/CD or external secrets manager to enforce it. For example, Vault can automatically revoke credentials when their time-to-live (TTL) expires. You can also rotate dynamic credentials and certificates generated by Vault secrets engines.

HashiCorp resources:

Next steps

In this section of managing CI/CD secrets, you learned about CI/CD anti-patterns that you should avoid. CI/CD anti-patterns is part of the Secure systems pillar.

Edit this page on GitHub