Security overview
This document outlines recommended best practices to ensure the security of data and secrets when using CircleCI. If you are getting started with CircleCI, there are some security best practices to consider as a CircleCI user.
Secure your secrets
Minimize the number of secrets (private keys and environment variables) your build needs and rotate secrets regularly. It is important to rotate secrets regularly in your organization, especially as team members come and go.
Rotating secrets regularly means your secrets are only active for a certain amount of time, helping to reduce possible risks if keys are compromised. Ensure the secrets you do use are of limited scope - with only enough permissions for the purposes of your build.
Understand the role and permission systems of other platforms you use outside of CircleCI. For example, IAM permissions on AWS, or GitHub’s Machine User feature.
Follow the advice in Secure secrets handling when writing scripts and working on the command-line.
Secure your environment variables
Use restricted contexts with teams to share environment variables with a select security group.
If your project is open source and public, make note of whether or not you want to share environment variables.
On CircleCI, you can change a project’s settings to control whether your environment variables can pass on to forked versions of your repo. This is not enabled by default. You can read more about these settings and open source security in our Open Source projects document.
Secure your VCS
Consult your VCS provider’s permissions for your organization (if you are in an organization) and take into consideration the Principle of least privilege.
Ensure that your team is using two-factor authentication (2FA) with your VCS:
If a VCS account is compromised, a nefarious actor could push code or potentially steal secrets.