Skip to content

Secrets Management in Source and CI

GitHub secret scanning and push protection are enabled where licensed and supported. Gitleaks runs on PRs and protected branch pushes with sufficient history to detect introduced secrets.

Cloud access uses OIDC. Remaining credentials are stored in GitHub Environments or organization secrets with narrow access and rotation. Secrets are never passed as Docker build arguments, printed in summaries, embedded in frontend builds, or committed as example values.

When a secret is detected, remove it from source, revoke or rotate it immediately, assess access logs, and clean history only as a secondary action. Deleting the string from the latest commit does not neutralize an exposed credential.