Audit CircleCI Contexts for Exposed Secrets

Posted on

CircleCI announced on January 4, 2023, that all secrets stored in CircleCI were potentially accessed by a malicious actor. They recommend rotating all secrets stored on their platform.

the CircleCI user interface informing users to rotate all secrets stored in CircleCI

I spent a decent amount of time this looking into client’s CircleCI contexts, identifying secrets that needed to be rotated. I quickly cobbled together some scripts, but today I spent some time writing circleci-audit, a tool to help identify exposed secrets.

You can easily run it with npx:

npx circleci-audit contexts \
  --token $CIRCLECI_TOKEN \

You can create a token here and find your Organization’s ID on the “Organization Settings” page in the CircleCI UI.

I hope this tool helps you quickly identify secrets needing to be rotated.

Find an issue?
Open a pull request against my blog on GitHub.
Ben Limmer