Want Control Over Secrets? Start with Your Strategic Control Point: CI/CD.

Pieter Kasselman

There are two kinds of organizations: Those with a secrets problem, and those who don’t know they have one yet. The question for CISOs is what to do about it.

And the answer starts in your CI/CD pipeline.

Why? Because CI/CD is where secrets concentrate and automation scales.. It’s also where company practices develop, and become company culture. It’s the gateway to production—and if you control the gateway, you can control how infrastructure is accessed. If you want to reduce your attack surface fast, start where access begins. As a CISO, you already know that secrets sprawl is out of control. For evidence, take a look at GitGuardian’s 2025 report. The numbers will drive you to tears. The number of leaked secrets increased by 23 million (+25%) from 2023 to 2024, 70% of leaked secrets detected in 2022 remain active in 2025 and, all of this despite an increase in use of secrets managers. Read it and weep. 

Secrets, in the form of API keys and passwords, are the lowest common denominator for application authentication. The next wave of innovation driven by AI services will make it even worse. In the rush to launch the next groundbreaking AI capability, authentication is relegated to the lowest common denominator - the API key or password. These are more secrets to manage, more secrets that will leak, and more risk for system compromise and outages.

A typical first response is to try and manage the situation. Secrets managers attempt to do this. They give you a place to put all the secrets you find, but they won’t stop the secrets from proliferating. They also come with downsides. They become a very attractive target, are a single point of failure, introduce latency and costs, and before you know it, you have a secret manager sprawl problem, with secret managers popping up all over the organization. 

Secrets managers are useful, even necessary tools, but what if we can just avoid having secrets to manage altogether? The good news is that the technology exists and can be deployed today. Forward thinking companies follow multi-pronged secret management strategies. They use secret managers to hoover up and store all the secrets they can find and deploy  identity-first infrastructure to replace long lived secrets with dynamically attested identities and credentials, like that developed by SPIRL, to replace secrets with identities. Typically, they start with their Continuous Integration/Continuous Deployment (CI/CD) pipelines.

Secrets are everywhere, so why start with CI/CD pipelines? Three reasons:


1. Gateway to Production

CI/CD pipelines are the gateways to your environment. If you lose control of the gateway to your environment, you lose control of your environment, and it is downhill from there (remember SolarWinds?). CI/CD pipelines need access to APIs and accounts to set up and configure infrastructure and build and deploy applications. To do this, they need API keys and passwords. These keys and passwords are modern-day keys to the kingdom.

2. Organizational Integration Point

Operationally, CI/CD pipelines are organisational integration points. Sometimes there is a single team that operates these systems for everyone as part of a platform team, but it is also not uncommon for there to be multiple teams, one per division, product line or maybe geography. Regardless, there are a far smaller number of CI/CD teams than engineering teams, but most, if not all engineering teams avail of these CI/CD systems. Any changes made in the CI/CD system rapidly accrues value to all the engineering teams. Assigning every pipeline or action its own identity that it can use to authenticate, obtain additional credentials and provision or manage production infrastructure removes the need for storing long lived secrets in the CI/CD pipeline. Just as important, it can be done centrally and rolled out much faster than requiring every engineering team to make changes.

3. Drive Culture Change

Engineering systems, like CI/CD, drive engineering culture. Changing existing practices like using long-lived, static, secrets requires not only technology, but also a change in culture. Enabling this through CI/CD systems provides tooling, but also sets an example of how to move to a new, safer and simpler practice, saving not only time, but also costs. When you start with the CI/CD pipeline, you have an opportunity to set an example of a successful migration away from long-lived secrets like API keys and passwords. 

In Summary

The CI/CD pipeline represents a strategic point of control to your digital estate. It is a central point of control to production. It provides a natural integration point, making it an efficient place to detect the most valuable secrets and remove them with minimal disruption, resulting in rapid return on investment. Finally, it provides a mechanism to drive a culture change for moving to a more secure environment that does not rely on long lived secrets by providing tooling, practices and a practical example of a successful deployment that other parts of the organisation can adopt and deploy. 

If you have a secrets problem, start with your CI/CD systems to move from managing secrets to eradicating them. 

The bottom line: secrets sprawl isn’t just a security problem — it’s an architectural liability that scales with every new API, every AI integration, and every code push. While secret managers can help contain the chaos, they don't eliminate it. CI/CD pipelines provide a strategic point of control to eliminate secrets. By removing long lived secrets, you reclaim control over how infrastructure is accessed, reduce attack surfaces, and lead the rest of the organization by example. If you want to fix your secrets problem, don’t wait — start with the part of your stack that deploys everything else.

SPIRL helps organizations do exactly that. If you're ready to take the first step toward eradicatinglong lived secrets from your environment, reach out — we’d love to talk about how to make your CI/CD pipelines the foundation of a safer, simpler, and more scalable identity-first architecture.