# Buildkite Security Documentation

> Buildkite documentation for security, including secrets management, OIDC, clusters, permissions, SSO, agent security, signed pipelines, and security best practices.

## Pipelines

### Best practices

- [Secrets management](https://buildkite.com/docs/pipelines/best-practices/secrets-management.md): Recommendations for secrets management: native tools, rotation, scoping, and audit logging.
- [Enforcing security controls](https://buildkite.com/docs/pipelines/best-practices/security-controls.md): Security engineering guide covering authentication, source code integrity, supply chain, artifact, and pipeline hardening.

### Agent

#### Self-hosted agents

##### Security

- [Overview](https://buildkite.com/docs/agent/self-hosted/security.md): Security hardening for self-hosted agents: secrets storage, SSH keyscan, command evaluation, plugin controls.
- [Network requirements](https://buildkite.com/docs/agent/self-hosted/security/network-requirements.md)
- [Signed pipelines](https://buildkite.com/docs/agent/self-hosted/security/signed-pipelines.md): Cryptographically signing pipeline uploads and verifying signatures before job execution using JWKS keys.

#### Buildkite hosted agents

- [Network security](https://buildkite.com/docs/agent/buildkite-hosted/network-security.md): IP allowlisting, OIDC-based authentication, and network security configuration for Buildkite hosted agents.

### Security

- [Overview](https://buildkite.com/docs/pipelines/security.md): Security overview covering data flow, infrastructure, encryption, logging, audit, and compliance controls.

#### Secrets

- [Overview](https://buildkite.com/docs/pipelines/security/secrets.md): Overview of secrets management options: managing secrets, risk considerations, and Buildkite secrets service.
- [Managing](https://buildkite.com/docs/pipelines/security/secrets/managing.md): Best practices for managing pipeline secrets using secrets storage services, environment hooks, and agent hooks.
- [Risk considerations](https://buildkite.com/docs/pipelines/security/secrets/risk-considerations.md): Security risks to avoid: storing secrets in pipeline settings, YAML env blocks, or build logs.

##### Buildkite secrets

- [Overview](https://buildkite.com/docs/pipelines/security/secrets/buildkite-secrets.md): Buildkite's encrypted key-value secret store scoped to clusters, with creation, usage, and redaction details.
- [Access policies](https://buildkite.com/docs/pipelines/security/secrets/buildkite-secrets/access-policies.md): YAML-based access policies that restrict Buildkite secret access by pipeline, branch, user, and other build attributes.

#### Clusters

- [Overview](https://buildkite.com/docs/pipelines/security/clusters.md): Clusters for organizing agents, queues, and pipelines into isolated groups with self-service management.
- [Manage clusters](https://buildkite.com/docs/pipelines/security/clusters/manage.md): Creating, updating, and deleting clusters; managing maintainers, agent tokens, and pipeline assignments.
- [Migrate from unclustered to clustered agents](https://buildkite.com/docs/pipelines/security/clusters/migrate-from-unclustered-to-clustered-agents.md): Step-by-step guide for migrating unclustered agents and pipelines to clustered agent infrastructure.

##### Rules

- [Overview](https://buildkite.com/docs/pipelines/security/clusters/rules.md): Rules for cross-cluster pipeline triggering and cross-pipeline artifact access with source/target conditions.
- [Manage rules](https://buildkite.com/docs/pipelines/security/clusters/rules/manage.md): Creating and managing rules using the Buildkite interface, REST API, and GraphQL API.
- [Incoming webhooks](https://buildkite.com/docs/pipelines/security/incoming-webhooks.md): Security FAQ for incoming webhooks from source control providers, including IP filtering and logging.

#### OIDC

- [Overview](https://buildkite.com/docs/pipelines/security/oidc.md): Overview of OIDC token issuance by Buildkite agents for federated authentication with AWS, GCP, Azure, and others.
- [OIDC with AWS](https://buildkite.com/docs/pipelines/security/oidc/aws.md): Step-by-step setup for OIDC federation between Buildkite agents and AWS IAM using assume-role-with-web-identity.
- [OIDC with Azure](https://buildkite.com/docs/pipelines/security/oidc/azure.md): Step-by-step setup for OIDC federation between Buildkite Pipelines and Microsoft Azure using Entra ID federated identity credentials, with a Terraform example.
- [Permissions](https://buildkite.com/docs/pipelines/security/permissions.md): Configuring user, team, and pipeline permissions at organization, team, and pipeline levels.

## Package Registries

### Security

- [Overview](https://buildkite.com/docs/package-registries/security.md): Security overview covering OIDC policies, team permissions, and SLSA provenance for Package Registries.
- [OIDC](https://buildkite.com/docs/package-registries/security/oidc.md): Configuring OIDC policies on registries to restrict access using Buildkite agent or third-party OIDC tokens.
- [Permissions](https://buildkite.com/docs/package-registries/security/permissions.md): Team-based access permissions for registries at organization and registry levels, including enabling the feature.
- [SLSA provenance](https://buildkite.com/docs/package-registries/security/slsa-provenance.md): Generating and storing SLSA provenance attestations for packages using the Buildkite plugin.

## Platform

### Team management

- [Enforce 2FA](https://buildkite.com/docs/platform/team-management/enforce-2fa.md): Enforcing two-factor authentication for all users in a Buildkite organization.
- [Inactive user list](https://buildkite.com/docs/platform/team-management/inactive-user-list.md): Identifying and managing inactive organization members using the Buildkite UI or GraphQL API.

### Tutorials

- [Two-factor authentication (2FA)](https://buildkite.com/docs/platform/tutorials/2fa.md): Step-by-step guide to enabling two-factor authentication on your Buildkite account.

### SSO

- [Overview](https://buildkite.com/docs/platform/sso.md): Overview of SSO support, listing providers (Okta, ADFS, GitHub, Google, Azure AD, OneLogin, custom SAML).
- [Okta](https://buildkite.com/docs/platform/sso/okta.md): Configuring Okta as an SSO provider with SAML and optional SCIM user provisioning.
- [ADFS](https://buildkite.com/docs/platform/sso/adfs.md): Step-by-step setup of Active Directory Federation Services (ADFS) as an SSO provider.
- [Google Workspace](https://buildkite.com/docs/platform/sso/google-workspace.md): Setting up Google Workspace (G Suite) as an SSO provider using OpenID.
- [Google Workspace (SAML)](https://buildkite.com/docs/platform/sso/google-workspace-saml.md): Setting up Google Workspace as an SSO provider using SAML instead of OpenID.
- [GitHub](https://buildkite.com/docs/platform/sso/github-sso.md): Configuring GitHub as an SSO provider for your Buildkite organization.
- [OneLogin](https://buildkite.com/docs/platform/sso/onelogin.md): Step-by-step setup of OneLogin as an SSO provider.
- [Azure AD](https://buildkite.com/docs/platform/sso/azure-ad.md): Configuring Microsoft Entra ID (Azure AD) as an SSO provider using custom SAML.
- [Custom SAML](https://buildkite.com/docs/platform/sso/custom-saml.md): Setting up any SAML 2.0 identity provider as an SSO provider for Buildkite.
- [Set up with GraphQL](https://buildkite.com/docs/platform/sso/sso-setup-with-graphql.md): Programmatically setting up SSO providers using the GraphQL API.

### Security

- [Token security](https://buildkite.com/docs/platform/security/tokens.md): Buildkite token types (API, agent, registry) and GitHub secret scanning integration.

## APIs

- [Managing API access tokens](https://buildkite.com/docs/apis/managing-api-tokens.md): Creating, editing, auditing, and securing API access tokens with scopes and IP restrictions.

## See also

- [Buildkite Governance Documentation](https://buildkite.com/docs/llms-governance.txt): Buildkite documentation for governance and compliance, including pipeline templates, build exports, audit logging, team management, and platform controls.
- [Buildkite User Management Documentation](https://buildkite.com/docs/llms-user-management.txt): Buildkite documentation for user and team management, covering permissions, SSO providers, two-factor authentication, audit logging, API token management, and system banners.
- [Buildkite Best Practices Documentation](https://buildkite.com/docs/llms-best-practices.txt): Buildkite documentation for CI/CD best practices, covering pipeline design and structure, agent management, Docker-based builds, parallelization, monorepos, dependency management, secrets, infrastructure as code, caching, monitoring, and security controls.