CircleCI Breach: How to Rotate All Stored Secrets ASAP

The Incident

Yesterday, CircleCI, a Continuous Integration/Continuous Delivery (CI/CD) service, notified the world it had been breached via a critical advisory from its CTO. As a major software delivery pipeline service, CircleCI users store myriad credentials for various services in CircleCI’s “Secrets Store” infrastructure. A clear recommendation from their advisory is to “Immediately rotate any and all secrets stored in CircleCI.”

“Rotating a secret” refers to disabling and resetting it in the original system, then deleting it from CircleCI, and then allocating a new one with the same permissions, and putting it in CircleCI again. The latter element is critical to ensure pipelines keep working. However, doing this at scale is challenging. 

Torq has a highly-effective and straightforward solution to the issue, and will provide any organization that isn’t currently a customer a free account, and architect advice, to automate rotating secrets ASAP, with no further commitment.

How Torq Can Help

1. Immediately Rotate Any and All Secrets Stored in CircleCI

Torq can assist in immediately rotating all secrets rapidly and efficiently by accessing the secrets stored in CircleCI in project environment variables or in contexts. With Torq, organizations that use CircleCI can immediately retrieve all existing secrets, classify them, identify their owners, and ensure tight and fast follow-up on rotating each of them.

Torq has built and tested a highly-effective workflow that connects to the organizational CircleCI environment, retrieves all relevant secrets, together with their creation/usage dates, and continues following up by:

• Finding the owners and notifying them via email, Slack, and/or Microsoft Teams
• Rotating all keys
• Creating reports and updating status via desired communication methods
  

2. Review Internal Logs for Unauthorized Access

CircleCI recommends customers review internal logs for their systems for any unauthorized access starting from December 21, 2022, through to January 4, 2023, or upon completion of their secrets rotation.

Torq can help break down the difficult task of identifying any unauthorized access into actionable and automated steps to save tremendous security analyst time, reduce mean time to response time (MTTR), and reduce any potential exposure due to unauthorized key usage.

Reviewing access logs is a procedure that is highly dependent on the type of infrastructure hosting the deliverables of CircleCI pipelines. Torq’s flexible out-of-the-box integrations can allow rapid building of automations that access logs on any infrastructure, such as (but not limited to):

• Amazon Web Services
• Google Cloud Platform
• Microsoft Azure
• Kubernetes clusters
• Github/Gitlab/Atlassian Bitbucket accounts
• “Artifactory” services
• Platform-as-a-Service solutions (such as Heroku)
• Infrastructure-as-Code services such as HashiCorp Terraform Cloud

As a concrete example, Torq automation can be used to ensure a full match between the artifacts repository and the software pipeline. Here is how an automation like that would work:

1. Torq can pull a list of container images from your Artifactory
2. For every image, Torq verifies via GitHub or another repository, the existence of a matching (time/content) commit, and flags all the gaps to orchestrate specific follow-up

Torq is Architected with a Zero Trust Approach

Torq, as a security automation and integration platform, can also carry a significant amount of credentials for various corporate systems. To mitigate risks like this incident, Torq has proactively deployed these critical architectural elements:

• Torq’s secrets store is implemented using a cloud-based Hardware Security Module (Cloud HSM), to reduce the risk of a mass breach
• Torq provides a full API allowing its users to rotate secrets as part of a regular routine, all included in the core product
• Torq integrates with all major customer-hosted secret stores, such as HashiCorp Vault, Britive, Akeyless, AWS KMS, Google Cloud Key Management, Azure Key Vault, and many more
• Torq enables using roles and workload identities to authenticate operations instead of using credentials where possible.

Begin Rotating Your CircleCI Keys Today 

CircleCI integration, as well as associated workflow templates, are available to Torq users, today. Find them in the workflow designer and template libraries, respectively. Users can also contact their customer service manager for a demo and walkthrough.

Not using Torq yet? Get in touch to handle this issue at no cost, and see how Torq security automation accelerates security operations to deliver unparalleled protection. 

CircleCI Demo Templates

If you’re already ready to go, we’ve prepared two workflow templates that utilize and demonstrate the power of Parallel Loop. Torq users can begin deploying them right away. 

• • Gather CircleCI Global Environment Variables with Creation Date
    This template lists Contexts in CircleCI and gathers all Global Environment Variables in each Context without having to use the UI to retrieve them. The output will contain all environment variables by context, including the creation date.
  • Gather CircleCI Environment Variables from GitHub Org Repos
    This template connects Github repositories and CircleCI for organizations that use both. It goes over all Github repositories and then checks for variables across both solutions. It is based on the process CircleCI support recommends.