Secrets

When a project moves beyond local development and starts using CI/CD, a fundamental question arises: how to securely pass configuration parameters into build and deployment pipelines. This concerns not only database passwords, but also container registry tokens, SSH keys, JWT signing keys, message queue connection strings, and any other parameters that must not be stored in plain text.

Sensitive data ending up in a Git repository is not just bad practice. The commit history is kept forever. Even if a secret is removed in a later commit, it has already become part of the history and can be retrieved via git log, git show or when cloning a fork. In a corporate environment this becomes a real risk during audits, team expansion, or if repository access is leaked.

Imagine this scenario: you’ve been working on a cool project all night. By 4 a.m. everything is ready, you do a final git push and go to sleep with a clear conscience. In the morning you find your AWS balance is zero and a miner is running on your servers. What happened? It turns out you left a line in one of the files: AWS_ACCESS_KEY_ID = "AKIA...".

This is a classic mistake thousands of developers have made. In this article we’ll look at why “just deleting the password” won’t help and how to set up automatic protection that will physically prevent you from making the mistake.