Interview › Security & DevSecOps
How do you secure pipeline credentials and avoid long-lived secrets? [Intermediate]
Answer
I secure pipeline credentials by avoiding long-lived secrets, using OIDC or workload identity, scoping credentials to repository and environment, storing unavoidable secrets in a managed secret store, masking logs, rotating regularly, and auditing access.
Technical explanation
Static cloud keys in CI are high risk because they can be leaked from logs, forks, compromised runners, or repository settings.
OIDC allows the CI system to exchange a short-lived identity token for cloud credentials with policy conditions.
Self-hosted runners need additional hardening: isolation, patching, ephemeral runners for untrusted code, and restricted network access.
Hands-on example
Hands-on: configure GitHub Actions OIDC to assume an AWS IAM role only when repo=org/app, branch=main, workflow=deploy.yml, and environment=prod. Remove stored AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from repository secrets.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]