Automated secrets rotation with Doppler and GitHub Actions

Secrets rotation is a necessary security measure for any organization, but it's often neglected, especially since it can be a tedious task that must be performed regularly. Engineers provide a number of reasons for disregarding rotation entirely, with many specifically citing fear of downtime and the potential for unintended consequences. Unfortunately, when a security breach happens, these concerns no longer matter.

So what can be done? To make sure secrets rotation is performed regularly, without fear of disruption, organizations can use GitHub Actions with Doppler secrets rotation.

What is secrets rotation?

Secrets rotation is the process of regularly updating and refreshing secrets, such as passwords, keys, and certificates. It's an important security practice that helps reduce the risk of unauthorized access to sensitive data. When secrets remain static for long periods, they become vulnerable to attacks from bad actors who can use brute force methods or other techniques to gain access. And using outdated secrets extends the duration that an exposed secret can be exploited. For example, this could happen if a secret is inadvertently logged (e.g., recorded during a meeting) or when a former employee retains a copy of the secret. By regularly rotating secrets, organizations can minimize potential attack surfaces and ensure that only those authorized to access the secrets can do so.

Secrets rotation is performed in one of two contexts: proactive and reactive.

• Proactive rotation is performed at a regular cadence (on a schedule). Proactive rotation limits a secret’s useful lifetime, reducing the potential impact of a leaked secret. It’s also good to pair with organizational events such as deprovisioning a team member.
• Reactive rotation is performed in response to an event, such as a leak or breach, in order to immediately invalidate a secret.

Because of how important secrets management and rotation is to an organization, many teams are hesitant to rotate secrets regularly without the proper tools or policies.

Experiencing secrets rotation anxiety

Ultimately, even if we knew all along that regular secrets rotation is an important part of secure development, we still may not perform it regularly. There are numerous reasons why:

• No Centralization: Not knowing which secrets are being used and where they’re being used can lead to a security breach if not all secrets are properly updated and rotated. This is known as secret sprawl!‍
• Lack of awareness: Some developers may not be aware of the importance of secrets rotation, may underestimate the potential risks associated with static secrets, and/or may not have the knowledge to set up automatic rotation for their secrets.‍
• Time constraints: Developers often face tight deadlines and may prioritize feature development and bug fixes over security best practices like secrets rotation. A botched rotation or one that doesn’t factor in all instances of a secret could result in downtime for services. ‍
• Complexity and breaking functionality: Implementing secrets rotation—even without automations—can be complex, especially in large-scale applications or distributed systems. Developers may be concerned that rotating secrets could disrupt application functionality or cause unforeseen issues, leading them to avoid making changes unless absolutely necessary.‍
• Insufficient tools and automation: The absence of easy-to-use tools and automation solutions for managing and rotating secrets can make the process complex and prone to human error.‍
• Lack of clear policies and guidelines: Without well-defined policies and guidelines for secrets rotation, developers may not know when or how to rotate secrets effectively.‍
• Inadequate monitoring and auditing: If no effective system exists to monitor and audit the use of secrets and the responsibility is unclear for who rotates secrets, developers may not be held accountable for failing to rotate secrets regularly.‍
• Relying too heavily on multiple third-party services: Developers who rely heavily on third-party services for managing secrets may assume that these services handle secrets rotation automatically, but often don’t provide a holistic view of what secrets are being used where, and when they should be rotated.‍
• Using legacy systems: In some cases, developers may be working with legacy systems that do not have built-in support for secrets rotation or are difficult to modify without causing significant disruptions.

Secrets rotation best practices for any organization

When implementing secret rotations, it's important to establish policies, procedures, and guidelines that your engineering, development, and security teams should follow and maintain.

• Define rotation frequency and triggers: Establish an appropriate rotation frequency for each type of secret based on its sensitivity, potential attack vectors, and regulatory requirements. You should also define specific triggers, such as personnel changes or suspected security incidents, that would require immediate secrets rotation.
• Centralize secrets management: Use a centralized secrets management solution, to store, manage, and rotate secrets securely. This approach ensures better control over access, simplifies the rotation process, and helps maintain consistency across your applications and infrastructure.
• Use versioning and short-lived secrets: Implement versioning for secrets, allowing for a smoother transition during rotation while minimizing the risk of breaking functionality. Where possible, use dynamic secrets or short-lived secrets (e.g., temporary tokens or credentials) that automatically expire after a certain period, reducing the window of opportunity for bad actors to exploit stale secrets.
• Regularly audit and monitor usage: Track any changes made to secrets for any compliance obligations and to better understand how to proactively prevent and address any future attacks. Gaining insight into observable issues and patterns means your team can revise security and secrets rotation policies to account for new methods bad actors use to gain access to systems and services.
• Implement strong encryption: Ensure that all secrets are encrypted both at rest and in transit using industry-standard encryption algorithms and protocols. This adds an extra layer of protection, making it more difficult for attackers to access or decipher sensitive information even if they manage to obtain the secret.
• Educate and train your team: Provide regular training and education to your development, operations, and security teams on the importance of secrets rotation and the best practices to follow. Encourage a culture of security awareness and continuous improvement, ensuring that everyone understands their role in maintaining the confidentiality, integrity, and availability of sensitive information. And don’t forget to research and stay aware of the latest news in security breaches and exploits.

When security breaches occur, they are often the result of a vulnerability in the organization’s secrets management system. Having strong foundational security policies coupled with a plan for spreading awareness throughout your organization is crucial to staying secure.

Integrate Doppler for automated secrets rotation with GitHub Actions

At this point we’ve reviewed what goes into secrets rotation, and we have working knowledge of best practices, along with insight into the frustrations developers, engineers, and security teams experience to rotate secrets. Now let’s explore how Doppler incorporates many of the best practices we’ve reviewed to relieve your security and DevOps concerns.

Doppler is a centralized secrets manager and rotation platform that streamlines and enforces your SecretOps processes, giving you visibility into secrets usage that creates confidence when performing rotation. Using Doppler for secrets rotation results in zero disruption to services and downtime is eliminated because of a two secret strategy for automated rotation. This means you can pair Doppler with automation via GitHub Actions to rotate secrets with consistent, predictable results. Though it’s worth noting that Doppler currently doesn’t support rotating GitHub Personal Access Tokens due to GitHub’s API not supporting this capability.

Using Doppler, you can also easily pair proactive rotation with organizational events such as regular maintenance to ensure reliability in your process as well as reactive rotation in response to an event such as a leak or breach. As soon as you connect Doppler with GitHub Actions, you’ve made the first step towards organizing your secret sprawl.

Connect Doppler with GitHub Actions

It’s easy to automate your secrets rotation with Doppler using GitHub Actions. In just a few steps, you’ll be able to add, update or remove a secret in Doppler, and that change will instantly reflect in the desired GitHub repository.

1. Create an account with Doppler (yes, for free!)
2. Set up your environment for GitHub
3. Set up the GitHub Actions integration to authorize Doppler to connect with GitHub Actions.

That’s it! You’re able to customize your desired secrets rotation schedule or rotate secrets immediately right from Doppler. Because they’re connected, Doppler automatically writes the latest secrets to GitHub Actions as secrets are rotated by Doppler. This ensures that code running on GitHub Actions always has the latest secrets.

Learn more about secrets rotation with Doppler and integrating with GitHub:

• Doppler’s Automated Secrets Rotation Overview
• Integrate Doppler with GitHub Actions