Attempt to replace any static credentials used in CircleCI for connection to cloud environments with authentication using OIDC tokens. This is not available for all tools so some credentials may need to remain. A rotation policy should be created for those remaining credentials.
A common and secure alternative to having static credentials in CircleCI is storing them in a secrets manager, like Vault or AWS Secrets Manager. OIDC can be used to authenticate with the secrets manager tool and pull secrets into the job.
For github orgs, ensure contexts are restricted to applicable security groups. If possible, migrate important secrets to a secrets manager and use OIDC to pull those secrets into jobs.
Next Step: Outside the Config: Storage Usage
Previous Step: Outside the Config: Security Settings
📑 Table of Contents
- Configuration Review Preparation
- Review Each Job for Improvement Opportunities
- Review Each Workflow for Improvement Opportunities
- High Level Improvement Opportunities
- Finalize Review