Interview kitsBlog

Your dream job? Lets Git IT.
Interactive technical interview preparation platform designed for modern developers.

XGitHub

Platform

  • Categories

Resources

  • Blog
  • About the app
  • FAQ
  • Feedback

Legal

  • Privacy Policy
  • Terms of Service

© 2026 LetsGit.IT. All rights reserved.

LetsGit.IT/Categories/Security
Securitymedium

How do you manage secrets in CI/CD and production?

Tags
#secrets#ci-cd#vault
Back to categoryPractice quiz

Answer

Store secrets in a dedicated secrets manager (e.g., Vault, AWS Secrets Manager), inject them at runtime, and rotate regularly. Avoid hardcoding, keep least-privilege access, and audit secret usage in CI/CD logs.

Advanced answer

Deep dive

Secrets should be short-lived, scoped, and auditable:

  • Use a secrets manager and fetch at runtime (not build time).
  • Use OIDC workload identity in CI to get temporary credentials.
  • Rotate keys, revoke on incident, and scan for leaked secrets.
  • Prevent secrets from appearing in logs or client bundles.

Examples

CI uses OIDC to request short-lived cloud credentials:

GitHub Actions -> OIDC token -> Cloud STS -> temp role creds

Common pitfalls

  • Baking secrets into Docker images or front-end bundles.
  • Long-lived access keys shared across services.
  • Logging secrets by accident (debug or error logs).

Interview follow-ups

  • How do you handle secret rotation without downtime?

Related questions

DevOps
Configuration vs secrets — how should you manage them in DevOps?
#secrets#config#security
Cloud
Secrets rotation: how do you rotate credentials without downtime?
#cloud#security#secrets
Cloud
Secrets vs config — where should you store secrets in a cloud setup?
  • How do you prevent secret sprawl?
  • What would you do after a secret leak?
    • #secrets#kms#security