CircleCI Personal Token

ID

circle_ci_token

Severity

critical

Vendor

CircleCI

Family

API Token

Description

CircleCI is a continuous integration and continuous delivery platform that can be used to implement DevOps practices.

It provides a runtime environment in the cloud to automate builds and deployments. A Circle CI personal token allows to access various information on pipelines, workflows or users.

Security

Any hardcoded CircleCI Personal Token is a potential secret reported by this detector.

Accidentally checking-in the token to source control repositories could compromise the CircleCI account and data.

Examples

CIRCLECI_TOKEN = CCIPAT_Gj2hR8r2UqFRxNmPfTTzGQ_IeFDClX3YiSmOftXxKjGyGmJyEyl4fuEh6Q1PRnP

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Go to User Tokens, find the specific token and revoke it (click on the 'X' at the right). Then create a new token, and replace all references to the old with the new. Alternatively, you may create a new token first, replace the leaked one with the new where it appears, and then revoke the leaked token.

  2. Optionally, remove the Token from the source code or committed configuration file.

    If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference