Dave WardEvery CI/CD pipeline I've audited had at least one hardcoded secret. Developer adds a credential "temporarily," it persists in git history forever. Internal repos give false security; one compromised workstation exposes every secret in source control.
Pipeline credentials are privileged credentials outside PAM governance. Vault them. Rotate them. Monitor them.