- Run builds in isolated CI workers or dedicated build hosts.
- Pin plugin versions and verify checksums/signatures.
- Restrict source image origins to approved registries.
¶ Secret Handling
- Inject secrets via secure CI variables or vault integration.
- Avoid writing credentials into build logs or image artifacts.
- Rotate cloud/API credentials used by builders.
- Scan produced images for vulnerabilities before release.
- Sign and version images with immutable metadata.
- Maintain approved image lifecycle and deprecation policy.