Stop leaking secrets in your CI pipelines

Most secret leaks we find in client engagements aren't sophisticated. They're a .env file checked in years ago, a debug printenv left in a Jenkins job, or an AWS key baked into a Docker layer.

The three places to look first

1. Build logs — turn on log masking in your CI provider and verify it actually works by echoing a fake secret.
2. Container layers — secrets passed as ARG instead of build-time mounts persist in image history. Use BuildKit secret mounts.
3. Git history — git log -p over your repo with a regex pass. Rewriting history is painful but necessary if anything sensitive is found.

Defence in depth

• Use short-lived OIDC tokens for cloud deploys instead of long-lived access keys.
• Scan every PR with a secrets scanner (gitleaks, trufflehog) in blocking mode.
• Centralise secrets in a vault and inject at runtime — never at build.

If you'd like a second pair of eyes on your pipeline, get in touch.