Credential rotation is the practice of regularly replacing API keys, passwords, tokens, and certificates before they expire, leak, or become stale enough to pose a risk. It matters because static credentials are one of the most common root causes of breaches: Verizon's 2024 Data Breach Investigations Report found that stolen credentials were involved in 31% of breaches over the past decade, and the 2023 Toyota incident traced back to a hardcoded API key left active in a public GitHub repo for roughly five years. Rotation limits the "blast radius" of any single leaked secret by capping how long it stays valid. Modern rotation isn't a manual quarterly chore — it's automated, tied to CI/CD pipelines, and enforced by policy engines that flag credentials exceeding an age threshold (commonly 90 days for cloud IAM keys, 24 hours for CI runner tokens). Below, we break down how rotation works, why it's different from revocation, which credentials need it most, and how to build a rotation program that survives an audit.
What is credential rotation?
Credential rotation is the scheduled or triggered process of generating a new credential, propagating it to every system that consumes it, and disabling the old one — typically within a defined overlap window so nothing breaks mid-swap. AWS IAM, for example, recommends rotating access keys every 90 days and supports a two-key overlap period so an application can pick up the new key before the old one is deactivated. Rotation applies to API keys, database passwords, OAuth client secrets, SSH keys, TLS certificates, and signing keys. The goal is not just replacing the value but proving the replacement happened — which is why SOC 2 and PCI DSS auditors ask for rotation logs, not just rotation policies.
Why does credential rotation matter for software supply chain security?
It matters because long-lived credentials are the single easiest thing for an attacker to exfiltrate and reuse without triggering an alert. GitGuardian's 2024 State of Secrets Sprawl report scanned public GitHub repositories and found over 12.8 million new secrets leaked in 2023 alone, a 28% increase over 2022 — and the median secret in a public repo stayed valid for years because nobody rotated it after the commit. The 2021 Codecov supply chain attack persisted for roughly two months because the compromised Bash Uploader script credential wasn't rotated or scoped tightly enough to limit what it could reach. When credentials are rotated on a fixed cadence, a leaked secret from six months ago is already dead by the time an attacker tries to use it, which directly shrinks the window supply chain attacks depend on.
How often should you rotate different types of credentials?
How often you rotate depends on the credential's blast radius and how automatable the rotation is — cloud IAM access keys every 90 days, database service-account passwords every 30-90 days, CI/CD pipeline tokens every 24 hours to 7 days, and TLS certificates typically every 90 days if you're using Let's Encrypt's default lifecycle or up to 398 days under the CA/Browser Forum's current maximum validity rule. NIST SP 800-63B moved away from mandating arbitrary rotation intervals for human passwords in 2017, recommending rotation only on evidence of compromise instead — but that guidance is specifically about user passwords, not machine credentials, API keys, or service accounts, which still benefit from short, fixed rotation windows because they're provisioned and consumed programmatically. Google Cloud's default service account key rotation recommendation is every 90 days, and HashiCorp Vault's dynamic secrets feature can issue database credentials with a default 32-day TTL that expire automatically without manual rotation at all.
What's the difference between credential rotation and credential revocation?
Rotation is a planned replacement done on a schedule; revocation is an emergency response done the moment a credential is known or suspected to be compromised. Rotation assumes the old credential is still probably safe and gives you a grace period to cut over cleanly — revocation assumes the opposite and kills the credential immediately, even if it breaks something. The 2022 Uber breach involved credentials for internal tools that were reportedly valid for an extended period after initial compromise, illustrating why organizations pair short rotation cycles with fast revocation paths: rotation reduces how often you're exposed, revocation reduces how long you stay exposed once you know about it. A mature program treats revocation as rotation's emergency sibling — same mechanism (issue new, kill old), triggered by an incident instead of a calendar.
What breaks when credential rotation isn't automated?
What breaks is usually production, because manual rotation almost always misses at least one downstream consumer of the old credential. Hardcoded secrets in config files, forgotten cron jobs, or third-party integrations that cache a key for weeks are the classic failure modes — this is exactly what happened in several 2023 incidents where rotated database passwords caused outages because a legacy microservice was still reading the old value from an unrotated Kubernetes secret. Automated rotation tools like AWS Secrets Manager, HashiCorp Vault, and Azure Key Vault solve this by handling generation, propagation, and the grace-period overlap as a single atomic workflow, with built-in Lambda or webhook triggers that update every registered consumer simultaneously. Without that automation, teams tend to under-rotate out of fear of breakage, which is how a "90-day policy" quietly turns into a credential that's 400 days old with nobody willing to touch it.
How Safeguard Helps
Safeguard closes the gap between having a rotation policy on paper and actually knowing which credentials in your codebase and pipelines are stale, unscoped, or reachable by an attacker. Griffin AI continuously scans commits, CI configs, and IaC for hardcoded and aging secrets, then correlates them with reachability analysis to show whether a given credential is actually exercised by exploitable code paths — so security teams can prioritize the handful of leaked keys that matter over the hundreds that don't. Safeguard's SBOM generation and ingest give you a live inventory of every service and dependency touching a given credential, which is what makes safe rotation possible without breaking a downstream consumer nobody remembered. When Griffin AI flags a credential past its rotation threshold or hardcoded in source, Safeguard can open an auto-fix PR that swaps the value for a reference to your secrets manager and updates the affected config, turning a manual audit finding into a reviewable code change in minutes.