While reviewing recent build pipeline logs for a new web application, a developer notices tokens exposed in environment variables. Which approach most effectively reduces this exposure and prevents unauthorized access?
Embed tokens in the source code and apply cryptographic hashing
Use stronger passphrases in environment variables but limit user permissions
Store tokens in a dedicated vault that provides ephemeral credentials
Send logs to a separate server to hide visible tokens in pipeline output
Using a dedicated vault that generates temporary credentials limits risk by ensuring the tokens are not stored in readable form within system logs or code. Storing passphrases in environment variables or code remains risky even with added restrictions, and masking lines in logs does not address potential leaks elsewhere. Dynamic credentials help reduce persistence and scope of any potential exposure.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a dedicated vault for ephemeral credentials?
Open an interactive chat with Bash
Why are temporary credentials better than persistent ones?
Open an interactive chat with Bash
How do environment variables expose tokens in logs?