Secrets management

Proper secrets management is key to the overall security of your CI/CD infrastructure. The following are some recommendations on keeping your secrets safe in your Buildkite pipelines:

• Use Buildkite's native secret management tools whenever possible. Start by using the built-in Buildkite secrets and redaction feature or explore the secrets plugins available for different secret stores.
• Rotate your secrets regularly. Even if a secret hasn't been compromised, regular automated rotation limits the window of opportunity if something does go wrong.
• Keep secrets scoped as tightly as possible. Only expose a secret to the specific pipeline steps that actually need it. For example, don't allow test steps to have access to production deployment credentials. You can configure granular access using Buildkite secrets or through plugins like the vault secrets plugin.
• Track how your secrets are being used. Audit logs showing which steps consume which secrets help you maintain visibility into your security posture and make compliance reporting much easier when needed (for example, during compliance audits).