Automation Playbook: Integrating CipherSend into CI/CD and ChatOps

High-performing teams eliminate manual steps when handling secrets. Use this guide to embed CipherSend into your existing tooling—so every secret stays ephemeral without slowing down delivery.

Integration Highlights

• ✅ Trigger secrets directly from CI/CD pipelines
• ✅ Deliver one-time links into Slack or Microsoft Teams
• ✅ Govern secrets with audit trails and expiration policies

Step 1: Provision API Access

1. Generate an API token from your account console
2. Restrict scopes to secrets:create and secrets:revoke
3. Store the token in your CI/CD secret manager (GitHub Actions, GitLab CI, CircleCI, or Jenkins)

# GitHub Actions example
name: Deploy service

on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Share database password securely
        env:
          CIPHERSEND_TOKEN: ${{ secrets.CIPHERSEND_TOKEN }}
        run: |
          curl -X POST \
            https://api.ciphersend.link/v1/secrets \
            -H "Authorization: Bearer $CIPHERSEND_TOKEN" \
            -H "Content-Type: application/json" \
            -d '{
                  "payload": "${{ secrets.DATABASE_PASSWORD }}",
                  "expiresIn": 3600,
                  "notifyOnAccess": true,
                  "clientSideEncryption": false
                }' \
            | jq -r '.link' > secret-link.txt

      - name: Share secret in Slack
        env:
          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
        run: |
          curl -X POST $SLACK_WEBHOOK \
            -H 'Content-type: application/json' \
            --data "{\"text\": \"🔐 Deployment secret ready: $(cat secret-link.txt)\"}"

Step 2: Add ChatOps Notifications

Slack Workflow Builder

1. Create a new workflow triggered by the :lock: emoji reaction
2. Ask for the secret value in a private form
3. Use the CipherSend webhook to generate a one-time link
4. Post the link and expiration policy into the request thread

Microsoft Teams Power Automate

• Listen for @CipherSend share command
• Collect the secret and optional passphrase
• Return a card with the one-time link and copy buttons

Step 3: Automate Rotations

• Schedule nightly jobs to rotate database passwords
• Trigger rotation whenever a sensitive role changes hands
• Alert security if an unused secret remains in queue > 24h

# Example rotation script (Node.js)
node rotate-secret.mjs --secret-name staging-db --notify security-team

The script:

• Fetches the latest credential from your vault
• Generates a CipherSend link with 6-hour expiration
• Sends notifications via Slack + PagerDuty
• Logs the rotation in your SIEM using structured JSON

Step 4: Add Observability Hooks

• Stream secret creation events into Datadog or Splunk
• Track who accessed which secret and when
• Alert when an unusual number of secrets are generated outside business hours

{
  "event": "secret_accessed",
  "id": "sf8901sdfg",
  "actor": "samantha@company.com",
  "timestamp": "2024-11-05T16:12:04.112Z",
  "ip": "203.0.113.45",
  "metadata": {
    "pipeline": "payments-deploy",
    "environment": "production"
  }
}

Step 5: Govern with Policies

• Require approval for secrets generated in production
• Automatically revoke unused links after 30 minutes
• Limit day-to-day secrets to predefined channels
• Provide auditors with exportable logs

Bonus: Self-Serve Portal for Internal Teams

Create an internal page where team members can request secrets without contacting DevOps. Integrate with:

• Identity provider (Okta, Azure AD) for automatic access validation
• Ticketing systems (Jira, Linear) to attest why a secret was needed
• Webhooks to generate and distribute links instantly

Ready to automate secure sharing end-to-end?

Last updated: November 5, 2024 Reading time: 7 minutes