Build or artifact systems access details visible

Your build systems, and frameworks, such as Gradle, Maven, and others, are responsible to build your software in a reliable, fast, and productive way. They are also responsible to do so in a secure way. Having that you may have private artifact storage, services, and repositories, their credentials need to be used.

It is necessary to keep the access details and credentials of these systems out of your actual build configuration code, or any other plainly visible asset, as hackers can tamper with libraries, inject code, and take over your IP as well as other sensitive data.

Problem

Build systems or artifact services access details, passwords or tokens are visible or hardcoded.

Fix

Infrastructure

  1. Use a cloud-native secret store, such as AWS Secrets Manager
  2. Use a dedicated vault product, such as:
    1. CyberArk Vault
    2. Hashicorp Vault

Architecture

  1. Prefer a 12-factor architecture
  2. Use secret-loading libraries like .env for your specific tech stack

See