PRIVATE.ME PLATFORM

xDuct: CI/CD Pipeline Secret Security

Split pipeline secrets across stages and runners using XorIDA threshold sharing. No single runner holds complete credentials. Supply chain compromises yield only cryptographic noise.

Developer COMING SOON XorIDA Powered

Section 01

The Problem

CI/CD runners are the #1 attack surface for supply chain compromise. The CircleCI breach in 2023 exposed all customer secrets. The CodeCov breach modified a bash uploader to exfiltrate credentials. Runners have full, unguarded access to every secret they need.

Every CI/CD pipeline stage — build, test, deploy — receives complete secrets as environment variables. A compromised build runner can read the deploy key. A tampered test container can harvest database credentials. The blast radius of any single runner compromise is total.

OIDC federation and short-lived tokens reduce exposure windows but do not solve the fundamental problem: at execution time, the secret exists complete and in cleartext in the runner's memory. Memory-scraping attacks, process injection, and compromised base images all bypass token scoping.

The Old Way

Section 02

The PRIVATE.ME Solution

xDuct splits each pipeline secret into K-of-N shares distributed across stages and runners. The build stage receives Share 1. The deploy stage receives Share 2. Reconstruction happens only at the step that needs the complete secret, and only for the duration of that step.

Secrets are split before they enter the pipeline. Each runner receives shares, not secrets. A compromised build runner captures a share that reveals zero information about the deploy key. Even if an attacker controls K-1 runners, they learn nothing about any secret.

The New Way

Section 03

Architecture

xDuct integrates with GitHub Actions, GitLab CI, and any CI system that supports custom secret injection. Secrets are split at configuration time and reconstructed at execution time.

Key Security Properties

Each runner holds shares, not secrets. Reconstruction is scoped to a single pipeline step. Secrets are destroyed from memory after the step completes. HMAC-SHA256 prevents share tampering between configuration and execution.

Section 04

Use Cases

GitHub

Split Across Jobs

Distribute shares across GitHub Actions jobs. No single job file exposes a complete credential.

GitHub

Signing

Code Signing Key Protection

Split code signing keys so no single runner can sign unauthorized releases. Threshold reconstruction at the signing step only.

Signing

Isolation

Build/Test/Deploy Isolation

Each pipeline stage holds a different share. Compromising the test environment never exposes production deploy keys.

Isolation

Defense

Supply Chain Defense

Even if a malicious dependency exfiltrates environment variables, it captures only shares — not secrets.

Defense

Section 05

Integration

Quick Start

import { splitSecret, reconstructForStep } from '@private.me/xduct';

// Split deploy key across 3 pipeline stages
const shares = await splitSecret('DEPLOY_KEY', {
  k: 2, n: 3,
  stages: ['build', 'test', 'deploy']
});

// At deploy step: reconstruct from available shares
const key = await reconstructForStep(shares, 'deploy', {
  available: ['build', 'deploy'],
  threshold: 2
});
// key available in memory for this step only

splitSecret(name: string, opts: PipeOpts): Promise<Result<StageShares, PipeError>>

Splits a secret into K-of-N threshold shares using XorIDA over GF(2), mapped to pipeline stages. Returns share references for each stage.

reconstructForStep(shares: StageShares, step: string, opts: StepOpts): Promise<Result<Uint8Array, PipeError>>

Reconstructs a secret from K available stage shares at runtime. Verifies HMAC integrity before reconstruction. Memory-only — never written to disk.

Section 06

Security Properties

Property	Mechanism	Guarantee
Runner Isolation	Per-stage shares	✓ No single runner has complete secret
Integrity	HMAC-SHA256 per share	✓ Tamper-evident
Supply Chain	Information-theoretic split	✓ Exfiltration yields noise
Rotation	Atomic share replacement	✓ Zero-downtime
Quantum Resistance	GF(2) operations	✓ Unconditional security

$45B

DevSecOps market

<1ms

Split latency

K-of-N

Threshold

VERIFIED BY XPROVE

Verifiable Data Protection

Every operation in this ACI produces a verifiable audit trail via xProve. HMAC-chained integrity proofs let auditors confirm that data was split, stored, and reconstructed correctly — without accessing the data itself.

XPROVE AUDIT TRAIL

Every XorIDA split generates HMAC-SHA256 integrity tags. xProve chains these into a tamper-evident audit trail that proves data was handled correctly at every step. Upgrade to zero-knowledge proofs when regulators or counterparties need public verification.

Read the xProve white paper →

GET STARTED

Ready to deploy xDuct?

Talk to Ren, our AI sales engineer, or book a live demo with our team.

Book a Demo

VERIFIABLE WITHOUT CODE EXPOSURE

Ship Proofs, Not Source

xDuct generates cryptographic proofs of correct execution without exposing proprietary algorithms. Verify integrity using zero-knowledge proofs — no source code required.

XPROVE CRYPTOGRAPHIC PROOF

Download proofs:

Tier 1 HMAC (~0.7KB)
Tier 2 Commit-Reveal (~0.5KB)
Tier 3 IT-MAC (~0.3KB)
Tier 4 KKW ZK (~0.4KB)

Verify proofs online →

Use Cases

🏛️

REGULATORY

FDA / SEC Submissions

Prove algorithm correctness for distributed systems without exposing trade secrets or IP.

Zero IP Exposure

🏦

FINANCIAL

Audit Without Access

External auditors verify secure operations without accessing source code or production systems.

FINRA / SOX Compliant

🛡️

DEFENSE

Classified Verification

Security clearance holders verify distributed systems correctness without clearance for source code.

CMMC / NIST Ready

🏢

ENTERPRISE

Procurement Due Diligence

Prove security + correctness during RFP evaluation without NDA or code escrow.

No NDA Required

Deployment Options

🌐

SaaS Recommended

Fully managed infrastructure. Call our REST API, we handle scaling, updates, and operations.

Zero infrastructure setup
Automatic updates
99.9% uptime SLA
Enterprise SLA available

View Pricing →

📦

SDK Integration

Embed directly in your application. Runs in your codebase with full programmatic control.

npm install @private.me/xduct
TypeScript/JavaScript SDK
Full source access
Enterprise support available

Get Started →

🏢

On-Premise Upon Request

Enterprise CLI for compliance, air-gap, or data residency requirements.

Complete data sovereignty
Air-gap capable deployment
Custom SLA + dedicated support
Professional services included

Request Quote →

Enterprise On-Premise Deployment

While xDuct is primarily delivered as SaaS or SDK, we build dedicated on-premise infrastructure for customers with:

Regulatory mandates — HIPAA, SOX, FedRAMP, CMMC requiring self-hosted processing
Air-gapped environments — SCIF, classified networks, offline operations
Data residency requirements — EU GDPR, China data laws, government mandates
Custom integration needs — Embed in proprietary platforms, specialized workflows

Includes: Enterprise CLI, Docker/Kubernetes orchestration, RBAC, audit logging, and dedicated support.

Contact sales for assessment and pricing →