Inside a Config File: Config Security Opportunities

1) OIDC

OIDC tokens are available in any job and is a great way to replace static credentials used to connect with cloud services. For example, a Vault instance in AWS. Static credentials are not only a security issue, they can also add to the difficulty of managing CI as a whole since you need to have a rotation policy in place.

OIDC is also available for custom images, stored in ECR, that are used as a job’s executor.

2) Contexts

Contexts are used to help manage secrets within CircleCI. By default, they are available for anyone with access to run a pipeline to use. Github projects can restrict contexts to a security group, allowing for more granular access levels.

3) Runner

Jobs that need to access internal resources may be hard to manage on CircleCI cloud. Runner allows you to run the job on your own infrastructure which removes the need to setup complicated tunnels. Runners do need to be maintained so be sure to take that into account when considering implementing them.

4) IP Ranges

Jobs that need access to internal resources, but don’t need to lock down the connection to a tunnel, can take advantage of IP Ranges which restricts the traffic from CircleCI to a well defined list of IPs.

5) Config Policies

Config policies are a powerful tool available on scale plans that can be used to limit what can done in a configuration. This allows you to make project or org-wide limitations on what kind of configs will run, helping to secure your pipelines from malicious configuration modifications.

Next Step: Inside the Config: Reusable Config

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Article is closed for comments.