This document outlines recommended best practices to ensure the security of your data and secrets when using CircleCI.
Checklist for using CircleCI securely as a customer
If you are getting started with CircleCI, there are some security best practices you can ask your team to consider as users of CircleCI:
- Minimize the number of secrets (private keys / environment variables) your
build needs and rotate secrets regularly.
- It is important to rotate secrets regularly in your organization, especially as team members come and go.
- Rotating secrets regularly means your secrets are only active for a certain amount of time, helping to reduce possible risks if keys are compromised.
- Ensure the secrets you do use are of limited scope - with only enough permissions for the purposes of your build. Understand the role and permission systems of other platforms you use outside of CircleCI; for example, IAM permissions on AWS, or GitHub’s Machine User feature.
- Sometimes user misuse of certain tools might accidentally print secrets to
stdoutwhich will land in your logs. Please be aware of:
printenvwhich will print all your environment variables to
- literally printing secrets in your codebase or in your shell with
- programs or debugging tools that print secrets on error.
- Consult your VCS provider’s permissions for your organization (if you are in an organization) and try to follow the Principle of Least Privilege.
- Use Restricted Contexts with teams to share environment variables with a select security group. Read through the contexts document to learn more.
- Ensure you audit who has access to SSH keys in your organization.
- Ensure that your team is using Two-Factor Authentication (2FA) with your VCS (Github 2FA, Bitbucket). If a user’s GitHub or Bitbucket account is compromised, a nefarious actor could push code or potentially steal secrets.
- If your project is open source and public, please make note of whether or not you want to share your environment variables. On CircleCI, you can change a project’s settings to control whether your environment variables can pass on to forked versions of your repo. This is not enabled by default. You can read more about these settings and open source security in our Open Source Projects document.
Help make this document better
This guide, as well as the rest of our docs, are open-source and available on GitHub. We welcome your contributions.
- Suggest an edit to this page (please read the contributing guide first).
- To report a problem in the documentation, or to submit feedback and comments, please open an issue on GitHub.
- CircleCI is always seeking ways to improve your experience with our platform. If you would like to share feedback, please join our research community.
CircleCI Documentation by CircleCI is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.