Secrets Management in CI/CD Components

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

We are an Ultimate customer, We are currently building a ci/cd component which will sign an apk with a private key.

We pull that key in via AWS Secrets Manager, however we are at risk still of someone still managing to echo it out in the pipeline if the overwrote the "script" block for example.

This is a component which would only be present when a user has a specific file to build, so it wouldn't necessarily make sense for it to belong in a compliance pipeline, but we do want to prevent people mutating the job / getting access to that .rsa key value

Have you got any thoughts for how we could achieve this?