Pipeline Secret Expiry Tracker

Overview

The Pipeline Secret Expiry Tracker is an Azure DevOps extension designed to help you monitor the expiration dates of variables stored in Azure Key Vault. By tracking variable expiry, this extension helps prevent deployment failures due to expired secrets and ensures smooth CI/CD operations.

The extension displays all tracked Key Vault variables in a simple list format, showing:

• Variable Group: The Azure DevOps variable group the secret belongs to
• Variable Name: The name of the variable
• Key Vault: The source Key Vault where the secret is stored
• Status: The current state of the secret
• Expires: The expiration date and time of the secret

Example display:

Status Rules

The extension uses the following logic to determine the status of each variable:

• ⚠️ Expiring soon: Status is ok and the variable expires within 30 days
• ✅ OK: Status is ok and the variable is not near expiry
• ⏰ Expired: Status is expired
• ❌ Missing: Status is missing
• ℹ️ Not secret: Status is notSecret

The status is updated automatically based on the Key Vault's metadata for each secret, giving you real-time insights into your variables.

Benefits

• Prevent unexpected downtime by monitoring expiring secrets
• Improve security by identifying missing or non-secret variables
• Enhance DevOps visibility into Key Vault secrets used in your pipelines

Installation

1. Navigate to the Azure DevOps Marketplace
2. Search for Pipeline Secret Expiry Tracker
3. Click Install and select your Azure DevOps organization
4. Configure the variable groups and Key Vaults you want to monitor

Usage

Once installed, the extension adds a tab to your Azure DevOps project where all Key Vault variables are listed with their current status and expiry date. Variables approaching expiration will be flagged automatically.

Monitor your secrets, prevent downtime, and keep your DevOps pipelines secure with Pipeline Secret Expiry Tracker.