In January 2023, CircleCI, a cornerstone of Continuous Integration/Continuous Delivery (CI/CD) services, experienced a breach. As a platform where users store essential credentials within CircleCI’s Secrets Store, the imperative action recommended is the immediate rotation of all stored secrets. At Torq, we understand the gravity of this situation and offer a swift, efficient solution to secure your operations. This guide walks you through automating the rotation of your CircleCI secrets, reinforcing the safety of your software delivery pipeline.
Understanding Secret Rotation
Rotating a secret means replacing it within the original system with a new one with identical permissions then updating CircleCI with this new secret value. This ensures your credentials remain secure and up to date.
The Solution with Torq
Torq enables organizations using CircleCI to quickly retrieve all existing secrets, classify them, identify their owners, and ensure a tight and rapid process for rotating each secret. Access the workflow in our templates library: Gather CircleCI Global Environment Variables with Creation Date.
Automate Secret Rotation
Create a CircleCI Integration: First, connect to your organizational CircleCI environment. Begin this process by creating a CircleCI integration following our CircleCI Integration Documentation.
Retrieve and Rotate Secrets: Next, retrieve all secrets including environment variables with their creation/last usage dates and rotate them. This is a critical step in ensuring your environment remains secure.
Create Reports and Update Status: Use Torq to create reports and update the rotation status through your preferred communication methods, keeping stakeholders informed throughout the process.
Verify Rotation Completion: Rerun the workflow with the created_before_date input parameter to confirm all secrets have been successfully rotated.
Project-Level Variable Rotation
Depending on how your organization’s repos are managed, use the Gather CircleCI Environment Variables from GitHub Org Repos or Gather CircleCI Environment Variables from Bitbucket Repos template to rotate project-level environment variables as well.