Rotate all CircleCI secrets

CircleCI, a Continuous Integration/Continuous Delivery (CI/CD) service, notified the world (January 2023) it had been breached. As a major software delivery pipeline service, users store credentials for various services in CircleCI’s Secrets Store infrastructure. The recommendation is to rotate all secrets stored in CircleCI ASAP.

To rotate a secret means resetting it in the original system, allocating a new one with the same permissions, and updating CircleCI with the new secret value.

The solution

With Torq, organizations that use CircleCI can rapidly and efficiently retrieve all existing secrets, classify them, identify their owners, and ensure tight and fast follow-up on rotating each of them.

The workflow is available in the templates library: Gather CircleCI Global Environment Variables with Creation Date.

1. Create a CircleCI integration to connect to the organizational CircleCI environment.
2. Retrieve all secrets (environment variables) with their creation/last usage dates and rotate them.
   
3. Create reports and update the status by using the desired communication methods.
   
4. Rerun the workflow and set the optional created_before_date input parameter to make sure all secrets were rotated.
5. Use the Gather CircleCI Environment Variables from GitHub Org Repos or Gather CircleCI Environment Variables from Bitbucket Repos template (according to how your organization repos are managed) to get the project-level environment variables and rotate those as well.
   

Related links

• Blogpost by Leonid Belkind
• CircleCI integration documentation

Templates

• Gather CircleCI Global Environment Variables with Creation Date
• Gather CircleCI Environment Variables from GitHub Org Repos
• Gather CircleCI Environment Variables from Bitbucket Repos