diff --git a/.github/workflows/executable.yml b/.github/workflows/executable.yml
index 399b7a360..a8a5637bb 100644
--- a/.github/workflows/executable.yml
+++ b/.github/workflows/executable.yml
@@ -79,11 +79,16 @@ jobs:
         env:
           CERT_B64: ${{ secrets.WIN_CODESIGN_CERT_CHAIN_B64 }}
       - name: Sign binary with Google Cloud KMS
+        env:
+          # Bind the secret to an env var instead of interpolating it into the
+          # PowerShell command string, so GitHub's log redaction applies to it
+          # in all (incl. error) output (CWE-532).
+          GCP_KMS_KEY_PATH: ${{ secrets.GCP_KMS_KEY_PATH }}
         run: |
           $env:GOOGLE_APPLICATION_CREDENTIALS = "$PWD\gcp-sa-key.json"
           $signtool = Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits" -Filter signtool.exe -Recurse | Where-Object { $_.FullName -match "x64" } | Select-Object -First 1
           Write-Host "Using signtool: $($signtool.FullName)"
-          & $signtool.FullName sign /fd sha256 /tr http://timestamp.sectigo.com /td sha256 /f comodo_signing_cert.crt /csp "Google Cloud KMS Provider" /kc "${{ secrets.GCP_KMS_KEY_PATH }}" percy.exe
+          & $signtool.FullName sign /fd sha256 /tr http://timestamp.sectigo.com /td sha256 /f comodo_signing_cert.crt /csp "Google Cloud KMS Provider" /kc "$env:GCP_KMS_KEY_PATH" percy.exe
           if ($LASTEXITCODE -ne 0) { Write-Error "Code signing failed!"; exit 1 }
           Write-Host "Code signing succeeded."
           & $signtool.FullName verify /pa /v percy.exe
diff --git a/scripts/executable.sh b/scripts/executable.sh
index befcb2338..8e31e3213 100755
--- a/scripts/executable.sh
+++ b/scripts/executable.sh
@@ -76,7 +76,10 @@ if [ -n "${APPLE_DEV_CERT:-}" ]; then
   mv percy-osx percy
   zip percy-osx.zip percy
 
-  xcrun notarytool submit --apple-id "$APPLE_ID_USERNAME" --password $APPLE_ID_KEY --team-id $APPLE_TEAM_ID percy-osx.zip --wait
+  # Read the Apple app-specific password from the environment via notarytool's
+  # `@env:` prefix instead of passing it as a CLI argument, so it is not visible
+  # in the process table / `ps aux` (CWE-214).
+  xcrun notarytool submit --apple-id "$APPLE_ID_USERNAME" --password "@env:APPLE_ID_KEY" --team-id "$APPLE_TEAM_ID" percy-osx.zip --wait
 
   cleanup
 else