[CircleCI Security Alert] Rotate any secrets stored in CircleCI

I used the github CLI to get a list of all github repos

gh api -H "Accept: application/vnd.github+json" '/orgs/ORG/repos?per_page=100&page=1' | jq 'map(.full_name) | .[]' -r > ./repos.txt
gh api -H "Accept: application/vnd.github+json" '/orgs/ORG/repos?per_page=100&page=2' | jq 'map(.full_name) | .[]' -r >> ./repos.txt
gh api -H "Accept: application/vnd.github+json" '/orgs/ORG/repos?per_page=100&page=3' | jq 'map(.full_name) | .[]' -r >> ./repos.txt
gh api -H "Accept: application/vnd.github+json" '/orgs/ORG/repos?per_page=100&page=4' | jq 'map(.full_name) | .[]' -r >> ./repos.txt
gh api -H "Accept: application/vnd.github+json" '/orgs/ORG/repos?per_page=100&page=5' | jq 'map(.full_name) | .[]' -r >> ./repos.txt

And then this script to list variables attached to a repo

curl -su $(sed -nr 's/token: (.*)/\1/p' ~/.circleci/cli.yml): \
  https://circleci.com/api/v2/project/gh/${1}/envvar | \
  jq '.items | map(.name) | .[]' -r | xargs -n1 echo ${1}

And then xargs to combine the two

cat ./repos.txt | xargs -n1 sh ./get-repo-vars.sh

For contexts I just used the CircleCI CLI.

To be able to see everything it works best when you’re a github admin.

2 Likes