From the European Union GDPR data privacy standards to seemingly endless press coverage of data leaks, security is top of mind like never before. Security is such a crucial consideration in software development that an entirely new word, DevSecOps, now exists to represent security’s significance throughout every stage of an integrated software creation and delivery pipeline. Locking down modern-day applications is no simple task, especially when their source code is spread across multiple repositories and teams, and doing so for open source projects with global contributors can be even more daunting. Managing sensitive keys can be an especially challenging part if you’re trying to use CI/CD to create an automated delivery pipeline. Certain keys are likely required to build, test, and deploy across multiple projects, and sharing them while maintaining their security is difficult.

At CircleCI, we’re always working to balance developer needs (flexibility, autonomy) with operational concerns (security, compliance). With that in mind, we are excited to announce restricted contexts, our newest security feature that allows admins to assign contexts to certain user groups. Restricted contexts are designed to maintain the ease of use that developers have come to expect while enabling guardrails to make your software delivery process even more robust and secure.

Restricting your contexts

Last year we introduced multi-contexts as part of workflows to allow easy sharing of environment variables across projects. This feature was warmly welcomed, and we heard from a number of our customers that they wanted even more control over contexts in order to use them in their production deployments. Today we are introducing the ability to restrict access to contexts to specific sets of users based on groups they belong to through security rules. This functionality is available to users who use GitHub as their VCS and have teams set up to group users. In CircleCI the available security groups will automatically populate with your GitHub teams.

We believe that restricted contexts will allow CircleCI users to create a more robust end-to-end CI/CD pipeline while maintaining high security standards. For instance, organizations who want to automate the full development lifecycle from commit to deploy can now do so more safely by restricting access to deployment keys to certain users who are authorized to push code into production. We also hope that open source projects building on CircleCI will use secure contexts to empower their contributors while maintaining the layer of control that is necessary to keep their projects running smoothly. Lead maintainers on these projects will now be able to secure any necessary environment variables in contexts and then authorize trusted contributors to access them for their builds.

With restricted contexts, you now have more control over how your encrypted keys are shared. Ready to explore restricted contexts? Go to docs here to learn more about how to manage your secret keys and permissions.