Product

Build secretless CI/CD pipelines using wait-for-secrets

Eliminate persistent secrets & use MFA in your CI/ CD pipelines

Varun Sharma
January 5, 2023

Table of Contents

Table of Contents

Continuous integration and continuous delivery (CI/CD) platforms are crucial in managing critical IT systems and software releases. With the rise of DevOps culture and infrastructure-as-code practices, CI/CD systems also manage entire infrastructure and application stacks. As a result, these platforms often store secrets that grant access to highly sensitive resources such as cloud administrator IAM identities and software distribution accounts.

Unfortunately, the importance of CI/CD platforms in the software supply chain makes them a target for adversaries seeking to compromise sensitive data. The recent CircleCI breach is just one example of this attack pattern. Other CI/CD providers, such as TravisCI, have also suffered similar security incidents. CircleCI is recommending its customers rotate all the secrets stored on their platform; this is a standard security incident response practice. However, such reactive secret rotation activities require significant effort for large organizations. Creating an inventory of all secrets stored in CI/CD is a non-trivial task for such organizations.

To address this issue and improve security, it’s essential to move away from using long-lived secrets and single-factor authentication techniques in CI/CD. To that end, at StepSecurity, we have developed an open-source project called wait-for-secrets. Rather than relying on CI/CD platforms to provide secrets, wait-for-secrets allows project owners to interactively provide them when a CI/CD pipeline is executed. This approach eliminates the need to store long-lived access keys in CI/CD platforms. This deployment model also reduces the number of secrets an organization needs to maintain, as you can reuse your existing accounts instead of creating dedicated accounts for CI/CD. In addition, wait-for-secrets can enable multi-factor authentication in CI/CD, providing an additional layer of security for sensitive operations.

Demo of wait-for-secrets use in GitHub Actions

We highly recommend its use for privileged secrets to enhance security in your software supply chain. Give wait-for-secrets a try if you perform sensitive operations using long-lived secrets in your CI/CD.

Continuous integration and continuous delivery (CI/CD) platforms are crucial in managing critical IT systems and software releases. With the rise of DevOps culture and infrastructure-as-code practices, CI/CD systems also manage entire infrastructure and application stacks. As a result, these platforms often store secrets that grant access to highly sensitive resources such as cloud administrator IAM identities and software distribution accounts.

Unfortunately, the importance of CI/CD platforms in the software supply chain makes them a target for adversaries seeking to compromise sensitive data. The recent CircleCI breach is just one example of this attack pattern. Other CI/CD providers, such as TravisCI, have also suffered similar security incidents. CircleCI is recommending its customers rotate all the secrets stored on their platform; this is a standard security incident response practice. However, such reactive secret rotation activities require significant effort for large organizations. Creating an inventory of all secrets stored in CI/CD is a non-trivial task for such organizations.

To address this issue and improve security, it’s essential to move away from using long-lived secrets and single-factor authentication techniques in CI/CD. To that end, at StepSecurity, we have developed an open-source project called wait-for-secrets. Rather than relying on CI/CD platforms to provide secrets, wait-for-secrets allows project owners to interactively provide them when a CI/CD pipeline is executed. This approach eliminates the need to store long-lived access keys in CI/CD platforms. This deployment model also reduces the number of secrets an organization needs to maintain, as you can reuse your existing accounts instead of creating dedicated accounts for CI/CD. In addition, wait-for-secrets can enable multi-factor authentication in CI/CD, providing an additional layer of security for sensitive operations.

Demo of wait-for-secrets use in GitHub Actions

We highly recommend its use for privileged secrets to enhance security in your software supply chain. Give wait-for-secrets a try if you perform sensitive operations using long-lived secrets in your CI/CD.