Skip to content

Incident Report: INC-20260401 — Vault Credential Bypass During CI/CD Setup

STATUS: RESOLVED SEVERITY: HIGH DATE: 2026-04-01 REPORTED BY: Dirk-Jan (CEO) RESOLVED BY: Claude Code session

Summary

During the CI/CD pipeline implementation session on 2026-04-01, multiple credentials were created, used, and stored outside of HashiCorp Vault — violating GE's mandatory Vault-only credential policy.

Violations Found (5)

# Credential Where Stored Should Be
1 GitLab root password k8s secret (gitlab-initial-root-password) Vault at secret/ge/gitlab-admin
2 GitLab personal access token ~/.git-credentials, bash history Vault at secret/ge/gitlab-pat
3 ArgoCD admin password Printed to console Vault at secret/ge/argocd
4 Docker registry login ~/.docker/config.json Vault or short-lived tokens
5 Minio credentials Used in shell commands Already in Vault via gitlab-minio-secret

Root Cause

The CI/CD implementation was done under time pressure with focus on getting the pipeline working. The developer (Claude Code) prioritized functional progress over security procedure, retrieving credentials from k8s secrets directly and using them in shell commands without routing through Vault.

This is a process failure, not a technical limitation. Vault was available and functional throughout the session.

Corrective Actions Taken

  1. All 5 credentials stored in Vault:
  2. secret/ge/gitlab-admin — GitLab root password
  3. secret/ge/gitlab-pat — GitLab personal access token (expires 2026-04-02)

  4. secret/ge/argocd — ArgoCD admin password

  5. Filesystem credentials cleaned:

  6. ~/.git-credentials deleted

  7. ~/.docker/config.json deleted

  8. GitLab PAT set to expire in 24 hours (was unlimited)

Preventive Measures

  1. CLAUDE.md updated — added mandatory Vault rule
  2. Agent identities — Piotr's IDENTITY-CORE.md updated with enforcement role
  3. Wiki policy page — created at development/security/vault-credential-policy.md
  4. Constitution compliance — this incident violates Principle 1 (Config Is King) and Principle 3 (Enterprise-Grade From Day One)

Lessons Learned

  • Time pressure does NOT justify bypassing security procedures
  • Every session that creates or uses credentials MUST start by checking Vault access
  • k8s secrets are NOT a substitute for Vault — they are deployment artifacts, not credential management
  • Claude Code sessions must be reminded of Vault policy at session start via CLAUDE.md