Replace secret values with reference tags
Collect all secrets from your CircleCI environment and use the SecretHub CLI to safely store them in a centralized location.
secrethub:// reference tags to your job in either your
.circleci/config.yml file or in CircleCI Contexts, to automatically load secrets at runtime:
A single source of truth, codified and version controlled
- No hidden pipeline dependencies: secrets explicitly declared in the same file as the job
- No more manually syncing the CircleCI Environment Variables GUI
- Easier pipeline development because secret definitions can be branched too
Prevent accidents and leaks
- Scope secrets to a single command or job, instead of the entire CircleCI config
- All secret values are automatically masked from log output
Control & monitor when your CircleCI job reads secrets
Every time your CircleCI job starts, secret reads gets recorded on the audit log. Restrict access to only the secrets it needs and know that you can revoke access with a single command.