How should secret rotation be managed in a deployment pipeline?

• A. Rotate secrets weekly regardless of impact.
• B. Schedule rotations, propagate new credentials to services, verify access, and minimize downtime.
• C. Never rotate secrets to avoid disruption.
• D. Rotate secrets only manually after incidents.

Answer: (B)

Secret rotation in a deployment pipeline should be planned and automated so credentials stay fresh without causing outages. The best approach is to schedule rotations, propagate the new credentials to every service that relies on them, verify that access still works after the change, and aim to minimize downtime through coordinated updates and rolling deployments. This ensures secrets are refreshed regularly in a controlled way, keeping services online and reducing the risk from compromised credentials. Proactive automation lets you update configurations, environment variables, and secret stores in a single, reliable workflow with checks that confirm authentication continues to succeed. Rotating on a rigid weekly schedule without considering impact can cause unnecessary churn or outages, and never rotating secrets or waiting for incidents to trigger rotation leaves security and reliability at risk.