CI services expose company secrets including Github access tokens


Researchers have re-discovered that CI services still contain company secrets inside its build logs.
The most widely used CI service is Travis CI due to its GitHub integration, while Circle CI and GitLab CI are a few popular other CI services.

Researchers scanned CI build logs for the past few months and found leaks at Grammarly, Discourse, a public cryptocurrency program, and an organization.


The big picture


Researchers noted that many Continuous Integration (CI) services still contain company secrets hidden inside its build logs.


CI services are used to detect bugs in the coding process at a very early stage. These services keep logs of the project and interactions with various remote servers and APIs, passwords, SSH keys, or API tokens are recorded in the CI logs.


The most widely used CI service is Travis CI due to its GitHub integration, while Circle CI and GitLab CI are a few popular other CI services.


A few years back, researchers identified that Travis CI logs expose API keys, Github access tokens, and other secrets. Attackers launched attacks against Travis CI to search build logs in bulk and extract some of the secrets. Since then, Travis CI has changed its processes and has been running various automated scripts to detect patterns that appear to look like passwords or API tokens and replace them with the word "[secure]" inside the build logs.


Why it matters?


Three years later, researchers have re-discovered that CI services still contain company secrets inside its build logs. Researchers have urged the CI services to review its CI build logs for any sensitive tokens that may leak through the basic pattern filtering procedures.


Researchers noted that attackers could also take another avenue ..