CI/CD systems heavily rely on credentials to operate, but poorly managed or overly permissive credentials can create a complex web of access points that become prime targets for attackers. Common risks associated with insufficient credential hygiene include secrets being accidentally committed to code, overly-permissive credentials in pipelines, secrets embedded in container image layers, secrets printed to build logs, and unrotated, long-lived credentials. Real-world breaches caused by poor credential hygiene have been documented, such as the 2021 Travis CI security issue and Uber's two major breaches tied to credential mismanagement. To mitigate these risks, organizations must adopt a proactive and layered approach to secrets management, including mapping the credential landscape, classifying secrets by sensitivity and exposure risk, preferring ephemeral credentials, restricting credential usage context, preventing secret leaks in code, securing console output, and cleaning artifacts thoroughly.