Rotate all CircleCI secrets
  • 16 Mar 2023
  • 1 Minute to read
  • Dark

Rotate all CircleCI secrets

  • Dark

Article summary

CircleCI, a Continuous Integration/Continuous Delivery (CI/CD) service, notified the world (January 2023) it had been breached. As a major software delivery pipeline service, users store credentials for various services in CircleCI’s Secrets Store infrastructure. The recommendation is to rotate all secrets stored in CircleCI ASAP.

To rotate a secret means resetting it in the original system, allocating a new one with the same permissions, and updating CircleCI with the new secret value.

The solution

With Torq, organizations that use CircleCI can rapidly and efficiently retrieve all existing secrets, classify them, identify their owners, and ensure tight and fast follow-up on rotating each of them.

The workflow is available in the templates library: Gather CircleCI Global Environment Variables with Creation Date.

  1. Create a CircleCI integration to connect to the organizational CircleCI environment.
  2. Retrieve all secrets (environment variables) with their creation/last usage dates and rotate them.
    get contexts and vriables per context
  3. Create reports and update the status by using the desired communication methods.
    send out reports
  4. Rerun the workflow and set the optional created_before_date input parameter to make sure all secrets were rotated.
  5. Use the Gather CircleCI Environment Variables from GitHub Org Repos or Gather CircleCI Environment Variables from Bitbucket Repos template (according to how your organization repos are managed) to get the project-level environment variables and rotate those as well.
    get the repo env variables


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.