Audit CircleCI Contexts for Exposed Secrets
CircleCI announced on January 4, 2023, that all secrets stored in CircleCI were potentially accessed by a malicious actor. They recommend rotating all secrets stored on their platform.
I spent a decent amount of time this looking into client’s CircleCI contexts, identifying secrets that needed to be
rotated. I quickly cobbled together some scripts, but today I spent some time writing
circleci-audit, a tool to help identify exposed secrets.
You can easily run it with
npx circleci-audit contexts \ --token $CIRCLECI_TOKEN \ --orgId $CIRCLECI_ORG_ID
You can create a token here and find your Organization’s ID on the “Organization Settings” page in the CircleCI UI.
I hope this tool helps you quickly identify secrets needing to be rotated.