Rule 3 of 8 · Chapter I — Pipeline Design
Secrets live in Key Vault–backed variable groups — never inline, never in YAML.
Why this rule exists
A secret in YAML is in git history forever, in every fork, and in every screen-share. Key Vault gives rotation, access policy, and audit; the variable group is just the delivery mechanism.
In practice
One variable group per environment, linked to that environment's vault. Pipeline YAML references the group; nobody pastes values. Secret scanning on in the repo as a backstop.
Sources
- Microsoft Learn — Link a variable group to Key Vault — The supported secret-delivery pattern