Audit CircleCI Contexts for Exposed Secrets

CircleCI announced on January 4, 2023, that all secrets stored in CircleCI were potentially accessed by a malicious actor. They recommend rotating all secrets stored on their platform.

I spent a decent amount of time this looking into client’s CircleCI contexts, identifying secrets that needed to be rotated. I quickly cobbled together some scripts, but today I spent some time writing circleci-audit, a tool to help identify exposed secrets.

You can easily run it with npx:

npx circleci-audit contexts \
  --token $CIRCLECI_TOKEN \
  --orgId $CIRCLECI_ORG_ID

You can create a token here and find your Organization’s ID on the “Organization Settings” page in the CircleCI UI.

I hope this tool helps you quickly identify secrets needing to be rotated.