CircleCI Security
At CircleCI, our top concern is protecting our users’ intellectual property
and sensitive secrets such as keys, tokens, and credentials.
Compliance and Authorizations



Product security features
-
Source code securityCommunication with your VCS to access source code is always encrypted over the wire using SSH and/or HTTPS.
-
Environment variables (secrets)Protect secrets and other sensitive data in CircleCI using environment variables.
-
Restricted contextsRestricted contexts allow encrypted storage and sharing of environment variables across multiple projects while limiting access to certain user groups.
-
Audit loggingUse audit logs to monitor anomalies, assist in forensics, and demonstrate compliance.
-
Runtime isolationCircleCI runs all builds in isolated sandboxes that are destroyed after each use.
-
Console output and artifactsEncryption is employed over the wire using SSH and/or HTTPS for both console output and artifacts. Both are only available to those with read access to your repository.
-
Two-factor authenticationCircleCI inherits 2FA authentication established in your third-party VCS provider.
Compliance & Certifications
Business Practices
Physical Security
Network & Data Security
Critical - 14 to 30 days | High - 14 to 30 days | Medium - 45 to 90 days | Low - 90 to 180 days. Monthly scans are submitted to federal authorities as part of ongoing FedRAMP compliance.
Application Security
Have a security concern about CircleCI?
We're confident in our implementation around matters such as cryptomining, email spoofing, and DKIM records. However, here are some issues we would be excited to hear about:
- Injection vulnerabilities
- Authentication or session problems
- Improper access to sensitive data
- Broken access controls
- Cross-site scripting
- Anything from the OWASP Top 10 Project
Upon discovering a vulnerability, we ask that you act in a way to protect our users' data:
- Inform us as soon as possible.
- Test against fake data and accounts, not our users' private data (please ask if you'd like a free account to work on this).
- Work with us to close the vulnerability before disclosing it to others.
Report your security concerns to CircleCI.
If you have found a vulnerability in CircleCI, please contact our security team by email at security@circleci.com.
If you are reporting a sensitive issue, please encrypt your message using our security team's GPG key (ID: 0x4013DDA7, fingerprint: 3CD2 A48F 2071 61C0 B9B7 1AE2 6170 15B8 4013 DDA7)
Email security@circleci.com