This document outlines recommended best practices to ensure the security of data and secrets when using CircleCI. If you are getting started with CircleCI, there are some security best practices to consider as a CircleCI user.
Secure your secrets
Minimize the number of secrets (private keys and environment variables) your build needs and rotate secrets regularly. It is important to rotate secrets regularly in your organization, especially as team members come and go.
Rotating secrets regularly means your secrets are only active for a certain amount of time, helping to reduce possible risks if keys are compromised. Ensure the secrets you do use are of limited scope - with only enough permissions for the purposes of your build.
Understand the role and permission systems of other platforms you use outside of CircleCI. For example, IAM permissions on AWS, or GitHub’s Machine User feature.
Follow the advice in Secure secrets handling when writing scripts and working on the command-line.
Secure your environment variables
Use restricted contexts with teams to share environment variables with a select security group.
If your project is open source and public, please make note of whether or not you want to share environment variables.
On CircleCI, you can change a project’s settings to control whether your environment variables can pass on to forked versions of your repo. This is not enabled by default. You can read more about these settings and open source security in our Open Source projects document.
Secure your VCS
Consult your VCS provider’s permissions for your organization (if you are in an organization) and take into consideration the Principle of least privilege.
Ensure that your team is using two-factor authentication (2FA) with your VCS:
If a VCS account is compromised, a nefarious actor could push code or potentially steal secrets.
Help make this document better
This guide, as well as the rest of our docs, are open source and available on GitHub. We welcome your contributions.
- Suggest an edit to this page (please read the contributing guide first).
- To report a problem in the documentation, or to submit feedback and comments, please open an issue on GitHub.
- CircleCI is always seeking ways to improve your experience with our platform. If you would like to share feedback, please join our research community.
Our support engineers are available to help with service issues, billing, or account related questions, and can help troubleshoot build configurations. Contact our support engineers by opening a ticket.
You can also visit our support site to find support articles, community forums, and training resources.
CircleCI Documentation by CircleCI is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.