Audit CircleCI Contexts for Exposed Secrets

Posted on January 6, 2023 by Ben Limmer Avatar image of Ben Limmer

CircleCI announced on January 4, 2023, that all secrets stored in CircleCI were potentially accessed by a malicious actor. They recommend rotating all secrets stored on their platform.

I spent a decent amount of time this looking into client’s CircleCI contexts, identifying secrets that needed to be rotated. I quickly cobbled together some scripts, but today I spent some time writing circleci-audit, a tool to help identify exposed secrets.

You can easily run it with npx:

Terminal window
npx circleci-audit contexts \
  --token $CIRCLECI_TOKEN \
  --orgId $CIRCLECI_ORG_ID

You can create a token here and find your Organization’s ID on the “Organization Settings” page in the CircleCI UI.

I hope this tool helps you quickly identify secrets needing to be rotated.