Inject secrets from the CI secret manager at runtime; never commit them or print them to logs.
Secrets in code or logs leak to anyone with repo or log access and are near-impossible to fully revoke.
BeforeMerge scans your pull requests against this rule and dozens more. Get actionable feedback before code ships.
Hardcoded or logged credentials are a top cause of breaches — they persist in git history and log retention long after rotation. Keep secrets in the CI secret store and inject them as masked env vars at runtime.
Bad
env: { API_KEY: "sk_live_abc123" } # committed in the workflow
run: echo "key=$API_KEY" # printed to logsGood
env: { API_KEY: "${{ secrets.API_KEY }}" } # masked, from secret store
run: deploy --auth-from-env # never echoed