CircleCI Project Token

ID

circle_ci_project_token

Severity

high

Vendor

CircleCI

Family

API Token

Description

CircleCI is a continuous integration and continuous delivery platform that can be used to implement DevOps practices.

It provides a runtime environment in the cloud to automate builds and deployments. A Circle CI project token allows to access various information on pipelines, workflows or users, but scoped for a given project.

Security

Any hardcoded CircleCI Project Token is a potential secret reported by this detector.

Accidentally checking-in the token to source control repositories could compromise the corresponding project in CircleCI.

The token permissions have three different scopes, namely Status, Read Only or Admin. Leaking a project token with the Admin scopes allow full access to all api endpoints for the project.

Examples

CIRCLECI_TOKEN = CCIPRJ_Gj2hR8r2UqFRxNmPfTTzGQ_IeFDClX3YiSmOftXxKjGyGmJyEyl4fuEh6Q1PRnP

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Go to API Permission where the project tokens are listed, find the specific token and revoke it (click on the 'X' at the right). Then create a new token, and replace all references to the old with the new. Alternatively, you may create a new token first, replace the leaked one with the new where it appears, and then revoke the leaked token.

  2. Optionally, remove the Token from the source code or committed configuration file.

    If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference