Q9 of 38 · CI/CD & DevOps

How do you secure secrets (API keys, credentials) in a CI pipeline running QA tests?

CI/CD & DevOpsMidci-cdsecuritysecretsoidcvault

Short answer

Short answer: Use the CI provider's secret store (GitHub Secrets, GitLab CI/CD variables, HashiCorp Vault) — never commit secrets, never echo them in logs. Scope by environment, rotate regularly, prefer short-lived credentials (OIDC to cloud) over long-lived API keys. Audit access.

Detail

Layer 1 — store, don't commit. Repo secrets go in GitHub Actions Secrets, GitLab CI/CD variables, or pulled from Vault/AWS Secrets Manager at runtime. Anything in git history is leaked forever, even after deletion.

Layer 2 — scope tightly.

  • Per-environment: STAGING_API_KEY and PROD_API_KEY are separate secrets, not "API_KEY with the prod value." Only the prod-deploy job sees prod.
  • Per-branch: GitHub's environment protection — production env requires approval and only passes secrets to that env's jobs.
  • Forks: pull requests from forks must NOT receive secrets. Default behaviour in GitHub Actions; verify your pipeline doesn't override.

Layer 3 — short-lived credentials over static keys.

  • OIDC for cloud: GitHub Actions and GitLab CI both support OIDC token exchange with AWS, GCP, Azure. The runner gets a short-lived token (typically 1 hour) instead of a stored access key. Massively reduces blast radius if the runner is compromised.
  • Workload Identity Federation on GCP — same idea.
  • Vault dynamic secrets — DB credentials generated for the test run, revoked after.

Layer 4 — log hygiene.

  • CI providers automatically mask known secret values in logs, but only if you set them as secrets. echo $API_KEY shows ***; curl -v may include the token in headers — check.
  • Don't print env vars in debug output. set, env, printenv dump everything.
  • Test artefacts (HAR files, logs) often contain auth headers. Redact before uploading.

Layer 5 — rotation and audit.

  • Rotate secrets quarterly or on personnel change.
  • Audit who/what has access. CI provider audit logs show secret access events.
  • For QA tests against vendor sandboxes, prefer test-mode keys with no production access at all.

Common breach pattern: contributor's PR accidentally adds debug console.log(process.env). Maintainer merges without noticing. Logs are public on GitHub. Within minutes, the keys are scraped. Defence: pre-commit hooks, secret-scanning (GitHub Advanced Security, Gitleaks), and never trust devs to manually filter logs.

// WHAT INTERVIEWERS LOOK FOR

Layered approach (store + scope + short-lived + logs + rotate), knowing OIDC for cloud, awareness of forked-PR risk, and the breach mode that keys leak through.

// COMMON PITFALL

Storing prod secrets as repo secrets accessible to every workflow. One careless echo and the key is in a public log forever.

// Related questions

How do you handle environment-specific config and secret management in Playwright?

Playwright

How do you organise environment variables and secrets across local/staging/prod API tests?

API testing

A QA engineer discovers that an API key was committed to the test repository 6 months ago and is still in Git history. What is your remediation plan?

Git