Skip to content

Buildkite

The Buildkite Integration provides SailPoint Entro with continuous, read-only visibility into your CI/CD pipelines, builds, and associated secrets. It enables detection of misconfigurations, exposed tokens, and insecure variable management within Buildkite environments.


Management → Accounts & Integrations → Add New Account (top right) → Buildkite


Purpose

Buildkite pipelines often store sensitive information such as:

  • API keys and environment variables in build configurations
  • Repository credentials used for code fetch and deployment
  • Access tokens stored in pipeline or agent-level secrets

SailPoint Entro scans these securely to detect exposed secrets before they can be exploited.


Supported Resources

Once connected, SailPoint Entro analyzes:

  • Pipelines and build definitions

  • Environment variables and secret metadata

  • Agent and job configurations

  • Build logs and annotations metadata (where accessible via API)


Architecture

┌───────────────────────────────┐
│       Entro Security Cloud    │
│  (Secret Detection Engine)    │
└──────────────┬────────────────┘
               │  HTTPS (TLS 1.2+)
┌───────────────────────────────┐
│       Buildkite Cloud         │
│ (Pipelines, Builds, Secrets)  │
└───────────────────────────────┘

SailPoint Entro connects to Buildkite through a Personal Access Token (PAT) with read-only permissions.


Security Model

  • All connections occur over HTTPS/TLS 1.2+
  • Access tokens are AES-256 encrypted at rest within SailPoint Entro
  • No write, modification, or destructive actions are performed
  • Tokens can be revoked anytime from the Buildkite user settings
  • Full audit logging available in SailPoint Entro’s event logs

Integration Flow

  1. Generate a Personal Access Token (PAT) in Buildkite

    Create a PAT in Buildkite with read-only permissions to allow SailPoint Entro to access pipeline and build metadata.

  2. Enter the token in SailPoint Entro’s onboarding form

    Provide the PAT in the SailPoint Entro UI when adding the Buildkite account.

  3. SailPoint Entro validates the connection and begins scanning metadata

    SailPoint Entro confirms connectivity and starts analyzing pipelines, variables, and available logs.

  4. Findings appear in the SailPoint Entro Console

    Scan results show file paths, risk levels, and remediation steps for any detected issues.