Secure circle.yml file


Is there any we can secure the circle.yml file ? As of now, we would like to use circleci to auto deploy our build to the production servers. However, it seems that any developper can modify the circle.yml file (via a branch), build a malicious version and release that version to production.



If you set up deployments from ‘production’ branch, say, then you can enable GitHub branch permissions:

Presumably whoever has permissions to push to the production branch has reviewed the changes going into it.

Does that help?


I am facing the same issue with security.

Correct me if I’m wrong, protected branches still don’t protect deployments to production servers. The malicious user can configure circle.yml on their branch to deploy the branch version to the production server. This is possible because environment variables associated with securing the production servers are available to all branches being built.

The only way to get around it seems to be with forks, but that takes away the flexibility of developing using branches.

Is there any other solution to this?

1 Like

Psykeron is right.

What I would like to do is tell circleci to use the circle.yml file of, say the master branch. That way, I can protect master branch and I won’t have to worry about other branches that will modify the circle.yml. This seems like a reasonable feature to me.

Another approach to this problem might be to expose the “project settings” environment variables only to builds that occur on a specific branch. This would be similar to how circle redacts the environment variables in fork builds.

Combined with branch protection in GitHub (or another git-level access control mechanism, not related to circle), this seems like it would make things fairly secure.

The ability to have branch-specific environment variables would be a good solution to securing the parts of the circleci process. Global environment variables that can be accessed to keep the build process going for all the feature branches, and branch specific environment variables to protect the deployment sections. And if devs want to use insecure deploy servers, they can just bake their temp credentials into the feature branch’s circle.yml.

I’m not sure I get it. Where can you specify environment variable to specific branch ? Is it in the project settings of circleci ? I would really appreciate a practical example of this because right now, I don’t see how you can set an environment variable only to a specific branch.

I also don’t get how this is more secure. You can always set an environment variable in a circle.yml (in the machine header).


1 Like

Can anyone at circleci tell me how to secure the circle.yml ? There are simple feature request to solve this issue in the other comment. Actually, it is risky to use circleci for deployment when you’re in a big organization.

Please, advise.

1 Like

We’ve ran into this same issue in TSLint development. We want to add collaborators to our open-source project, but we don’t want them to be able to publish releases or access our NPM-publishing credentials (currently stored as an env var in Circle). I believe something like a branch-specific env var might solve our issue as suggested by @psykeron,


We’re also running into difficulty here. You can build as much protection against accidentally deploying to production on circle ci, but you can hardly protect yourself from a malicious developer with write access to any branch. Has anything been done to address this?

1 Like