Quản lý secrets trong CI/CD an toàn như thế nào?

Không commit secrets vào code (kể cả .env); lưu trong native secret store của CI (GitHub Secrets, GitLab Variables) hoặc vault tập trung (HashiCorp Vault, AWS Secrets Manager); rotate định kỳ; dùng OIDC để cấp short-lived token cho cloud thay vì long-lived access key. Best practices:

Native CI secrets: GitHub Settings → Secrets and variables → Actions; truy cập qua ${{ secrets.MY_KEY }} — auto-masked trong logs.
Environment secrets: secrets gắn với environment (production, staging) → cần approval reviewer trước khi job dùng được.
OIDC (recommended cho cloud): GitHub Actions issue OIDC token, AWS/GCP/Azure trust GitHub OIDC → cấp short-lived credentials (15min) — không cần lưu AWS access key static.
Secret scanning: GitHub Secret Scanning + push protection (free cho public repo, paid cho private) chặn commit chứa AWS key/Stripe key trước khi push tới remote.
gitleaks trong pre-commit hook: scan locally.
HashiCorp Vault / AWS Secrets Manager: cho secrets nhạy cảm hơn (DB password production), CI fetch tại runtime với short TTL. Rotation: API keys quan trọng rotate 90 ngày; nếu nghi ngờ leak → revoke ngay, rotate, audit log để xác định blast radius. Sai lầm phổ biến: log toàn bộ env vào CI logs (set -x lộ secret); commit .env rồi delete (vẫn trong Git history — phải BFG repo-cleaner / git filter-repo + force push + rotate); echo secret vào artifact upload công khai

Never commit secrets to code (not even .env); store them in the CI's native secret store (GitHub Secrets, GitLab Variables) or a centralized vault (HashiCorp Vault, AWS Secrets Manager); rotate periodically; use OIDC to issue short-lived tokens for cloud access instead of long-lived access keys. Best practices:

Native CI secrets: GitHub Settings → Secrets and variables → Actions; access via ${{ secrets.MY_KEY }} — auto-masked in logs.
Environment secrets: secrets scoped to an environment (production, staging) → require reviewer approval before a job can use them.
OIDC (recommended for cloud): GitHub Actions issues an OIDC token, AWS/GCP/Azure trust the GitHub OIDC issuer → short-lived credentials (15 min) — no static AWS access keys needed.
Secret scanning: GitHub Secret Scanning + push protection (free for public repos, paid for private) blocks commits containing AWS keys/Stripe keys before they reach the remote.
gitleaks in a pre-commit hook: scans locally.
HashiCorp Vault / AWS Secrets Manager: for highly sensitive secrets (production DB password), CI fetches them at runtime with short TTLs. Rotation: rotate important API keys every 90 days; if a leak is suspected → revoke immediately, rotate, and audit logs to determine blast radius. Common mistakes: logging the full env in CI logs (set -x leaks secrets); committing .env then deleting it (still in Git history — requires BFG repo-cleaner / git filter-repo + force push + rotation); echoing secrets into a publicly uploaded artifact

Xem toàn bộ CI/CD cùng filter theo level & chủ đề con.

Mở danh sách CI/CD

Quản lý secrets trong CI/CD an toàn như thế nào?

Native CI secrets: GitHub Settings → Secrets and variables → Actions; truy cập qua ${{ secrets.MY_KEY }} — auto-masked trong logs.
Environment secrets: secrets gắn với environment (production, staging) → cần approval reviewer trước khi job dùng được.
OIDC (recommended cho cloud): GitHub Actions issue OIDC token, AWS/GCP/Azure trust GitHub OIDC → cấp short-lived credentials (15min) — không cần lưu AWS access key static.
Secret scanning: GitHub Secret Scanning + push protection (free cho public repo, paid cho private) chặn commit chứa AWS key/Stripe key trước khi push tới remote.
gitleaks trong pre-commit hook: scan locally.
HashiCorp Vault / AWS Secrets Manager: cho secrets nhạy cảm hơn (DB password production), CI fetch tại runtime với short TTL. Rotation: API keys quan trọng rotate 90 ngày; nếu nghi ngờ leak → revoke ngay, rotate, audit log để xác định blast radius. Sai lầm phổ biến: log toàn bộ env vào CI logs (set -x lộ secret); commit .env rồi delete (vẫn trong Git history — phải BFG repo-cleaner / git filter-repo + force push + rotate); echo secret vào artifact upload công khai

Native CI secrets: GitHub Settings → Secrets and variables → Actions; access via ${{ secrets.MY_KEY }} — auto-masked in logs.
Environment secrets: secrets scoped to an environment (production, staging) → require reviewer approval before a job can use them.
OIDC (recommended for cloud): GitHub Actions issues an OIDC token, AWS/GCP/Azure trust the GitHub OIDC issuer → short-lived credentials (15 min) — no static AWS access keys needed.
Secret scanning: GitHub Secret Scanning + push protection (free for public repos, paid for private) blocks commits containing AWS keys/Stripe keys before they reach the remote.
gitleaks in a pre-commit hook: scans locally.
HashiCorp Vault / AWS Secrets Manager: for highly sensitive secrets (production DB password), CI fetches them at runtime with short TTLs. Rotation: rotate important API keys every 90 days; if a leak is suspected → revoke immediately, rotate, and audit logs to determine blast radius. Common mistakes: logging the full env in CI logs (set -x leaks secrets); committing .env then deleting it (still in Git history — requires BFG repo-cleaner / git filter-repo + force push + rotation); echoing secrets into a publicly uploaded artifact

Xem toàn bộ CI/CD cùng filter theo level & chủ đề con.

Mở danh sách CI/CD