Integrations

Connect SikkerKey to your CI/CD platforms, container orchestration, and deployment workflows.

SikkerKey integrates with the platforms your team already uses. The model is the same regardless of where your code runs: a machine identity is bootstrapped into the runtime environment, and the CLI or SDK fetches secrets at runtime over an Ed25519-signed request. SikkerKey never delivers plaintext secret values to a third-party platform's storage on your behalf for CI/CD integrations.

GitHub Actions
Push secrets to GitHub repository secrets. Workflows use them natively with ${{ secrets.* }}.
GitLab CI/CD
Push secrets to GitLab CI/CD variables. Jobs access them as standard environment variables.
Bitbucket Pipelines
Push secrets to Bitbucket repository variables. Pipelines access them as secure variables.
Supabase
Push secrets to Supabase Edge Function secrets. Functions read them natively via Deno.env.get().
Docker
Inject secrets into containers at runtime using the CLI or SDK.
Kubernetes
Mount secrets into pods using init containers or the SDK sidecar pattern.
CI/CD (Generic)
Bootstrap a machine identity in any CI/CD system using the CLI.

CI/CD Integrations

GitHub Actions, GitLab CI/CD, and Bitbucket Pipelines all follow the same workflow-time bootstrap model:

  1. Generate a bootstrap script and a YAML snippet from the dashboard, scoped to an enrollment token.
  2. Commit the script to your repository and add the enrollment-token plaintext to the platform's encrypted variable store.
  3. The pipeline runs the bootstrap script on each job. The script registers a one-time machine identity, pulls the granted secrets from SikkerKey, and exposes them as environment variables for the rest of the job.

The plaintext secret values never sit at rest in GitHub, GitLab, or Bitbucket. The only thing in their secret store is the enrollment-token reference SikkerKey uses to mint a temporary machine.

  • Each job produces a unique ephemeral machine, generated on the runner. Private keys live only on the runner and disappear when it's torn down.
  • The enrollment token's policy (projects, secrets, source CIDR, hostname pattern, TTL, max uses) limits what any one runner can see.
  • Every enrollment and every secret read is audit-logged, attributed to the parent token along with the runner's IP.

Infrastructure Integrations

Docker and Kubernetes integrations use the same machine-auth model. A machine identity is bootstrapped into the container or pod, and the CLI or SDK fetches secrets at runtime using Ed25519 signature verification.

Generic CI/CD

For platforms without a dedicated integration, bootstrap a machine identity using the CLI. The generic CI/CD guide covers Jenkins, CircleCI, AWS CodeBuild, and any other system that can run shell commands.

Supabase Edge Functions

Supabase Edge Functions run inside Supabase's managed runtime, so they cannot run a bootstrap script the way a CI runner does. The current integration syncs your selected SikkerKey secrets into the Supabase project's Edge Function secrets via the Supabase Management API. Your functions read them with Deno.env.get(). See Supabase for setup.