Inside a Config File: Config Security Opportunities

Inside a Config File

Config Security Opportunities


OIDC tokens are available in any job and is a great way to replace static credentials used to connect with cloud services. For example, a Vault instance in AWS. Static credentials are not only a security issue, they can also add to the difficulty of managing CI as a whole since you need to have a rotation policy in place.

OIDC is also available for custom images, stored in ECR, that are used as a job’s executor.

2) Contexts

Contexts are used to help manage secrets within CircleCI. By default, they are available for anyone with access to run a pipeline to use. Github projects can restrict contexts to a security group, allowing for more granular access levels.

3) Runner

Jobs that need to access internal resources may be hard to manage on CircleCI cloud. Runner allows you to run the job on your own infrastructure which removes the need to setup complicated tunnels. Runners do need to be maintained so be sure to take that into account when considering implementing them.

4) IP Ranges

Jobs that need access to internal resources, but don’t need to lock down the connection to a tunnel, can take advantage of IP Ranges which restricts the traffic from CircleCI to a well defined list of IPs.

:arrow_forward: Next Step: Inside the Config: Reusable Config

:arrow_backward: Previous Step: High Level Improvement Opportunities

📑 Table of Contents

Self Service Configuration Review Overview

  1. Configuration Review Preparation
  2. Review Each Job for Improvement Opportunities
  3. Review Each Workflow for Improvement Opportunities
  4. High Level Improvement Opportunities
  5. Finalize Review