How to prevent secrets from being stolen?
If you are concerned with a bad actor stealing your secrets there are some measures you can put in place to reduce this risk:
- do not expose secrets to pull requests (this is the default setting)
- use protected branches
- perform code reviews
- sign your yaml files as described in the documentation
The risk of a malicious developer exposing a secret is the same as a malicious developer adding malicious code to your codebase. You should follow best practices and only grant push access to individuals you trust and you should use code reviews to further mitigate risks.
1-2-3 these are not preventing from being stolen.
the drone itself doesn’t even use sign https://github.com/drone/drone/blob/master/.drone.yml
Drone does not expose secrets to pull requests, which represents the biggest risk. Furthermore we perform strict code reviews and we limit who write access to the repository. We believe this is sufficient based on our deep understanding of the system and the attack surface.