Your security is our priority

At CircleCI, our top concern is protecting our users’ intellectual property and sensitive secrets such as keys, tokens, and credentials.

Compliance and authorizations

CircleCI takes the security of your applications seriously. We partner with the top security organizations to ensure that your projects are built, deployed, and maintained securely.

FedRAMP tailored

First CI/CD tool to meet the rigorous security and privacy NIST-standards of FedRAMP

SOC 2 Type II compliant

SOC 2 Type II compliance is a component of the American Institute of CPAs (AICPA)’s Service Organization Control reporting platform

Product security features

Get the compliance, security, and audit logging features that you need. Choose our cloud-hosted service with the option to use CircleCI compute and self-hosted runners, or run your own instance of CircleCI entirely on your own infrastructure.

Source code security

Communication with your VCS to access source code is always encrypted over the wire using SSH and/or HTTPS.

Config policies

Enforce organizational compliance and standardization across projects.

Environment variables (secrets)

Protect secrets and other sensitive data in CircleCI using environment variables.

OpenID Connect

CircleCI supports authentication via OpenID Connect at the job level. Using OIDC, pipelines can authenticate to systems like Vault, AWS and GCP without distributing secrets.

Restricted contexts

Restricted contexts allow encrypted storage and sharing of environment variables across multiple projects while limiting access to certain user groups or at the project level.

Audit logging

Use audit logs to monitor anomalies, assist in forensics, and demonstrate compliance.

Runtime isolation

CircleCI runs all builds in isolated sandboxes that are destroyed after each use.

Console output and artifacts

Encryption is employed over the wire using SSH and/or HTTPS for both console output and artifacts. Both are only available to those with read access to your repository.

Two-factor authentication

CircleCI inherits 2FA authentication established in your third-party VCS provider.

Have a security concern about CircleCI?

Finding serious security issues

If you find any of the following issues, please contact us with relevant details including steps to reproduce or a proof-of-concept.

  • Injection vulnerabilities
  • Authentication or session problems
  • Improper access to sensitive data
  • Broken access controls
  • Cross-site scripting
  • Anything from the OWASP Top 10 Project
  • Email spoofing, SPF, DKIM, and DMARC errors

Reports we do not act on

  • Credentials in a 3rd party’s .circleci/config.yml

CircleCI does not have a bounty program We do not offer bug bounties for discovered vulnerabilities. We hope that if you discover vulnerabilities in the course of your work that you share them with us so we can improve the health of the internet ecosystem.

Protect our users’ data

Upon discovering a vulnerability, we ask that you:

  • Inform us as soon as possible, contact our security team by email at security@circleci.com
    • If you are reporting a sensitive issue, please encrypt your message using our security team’s GPG key (ID: 0x4013DDA7, fingerprint: 3CD2 A48F 2071 61C0 B9B7 1AE2 6170 15B8 4013 DDA7)
  • Test against fake data and accounts, not our users’ private data (please ask if you’d like a free account to work on this)
  • Work with us to close the vulnerability before disclosing it to others

Learn more

>Security