| CI build logs continue to expose company secrets | | Security researchers are still finding secrets hidden deep inside continuous integration (CI) services, years after the issue became common knowledge. The purpose of CI is to find bugs as early as possible in the coding process and detect them before they're too deeply embedded into the rest of the project, at which point it may require extensive rewrites. | The most famous and widely used of all CI services is one called Travis CI, loved primarily due to its GitHub integration. Travis CI keeps logs of everything that happens, and one of the most important of these are a project's build log, which can sometimes include passwords, SSH keys, or API tokens. | A few years back, security researchers realized that they could comb Travis CI logs for API keys and other secrets, and report these issues to companies to receive bug bounties. Besides good-willed security researchers, threat actors also realized they could do the same, and some of them even launched attacks against Travis CI to search build logs in bulk and extract some of these secrets. | | |
|