SC-CRED-HYGIENE-CICDSEC6-2023

Summary

Insufficient credential hygiene is the class in which long-lived, broadly-scoped secrets such as cloud access keys, registry tokens, and signing keys are stored as static CI variables, so any pipeline compromise (or any poisoned-pipeline, OIDC, or cache attack) yields durable, high-blast-radius credentials. The root mechanism is that static secrets do not expire, are often shared across projects, and grant standing access far beyond a single build, so theft of the CI platform's secret store or of a single workflow's environment converts a transient foothold into persistent access to production cloud and registry accounts. The CircleCI breach of January 2023 is the canonical illustration: malware on an engineer's laptop stole a valid 2FA-backed SSO session, letting attackers exfiltrate customers' environment variables, API tokens, and SSH keys, and CircleCI had to invalidate project tokens and instruct every customer to rotate all stored secrets, a platform-wide rotation that demonstrated the systemic cost of static-credential dependence. OWASP catalogues this as CICD-SEC-6 and recommends short-lived OIDC tokens and least privilege as the structural fix.

How to avoid it in your code

• Replace static cloud/registry secrets with short-lived OIDC-federated tokens scoped per workflow.
• Apply least privilege and condition-bind credentials to a single repo, environment, and identity.
• Rotate any remaining static secrets on a schedule and immediately on suspected platform compromise.
• Scan code, logs, and history for hardcoded secrets; block plaintext secrets in pipeline output.
• Inventory and revoke stale, unused, or over-shared credentials across the CI/CD estate.

References

• https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-06-Insufficient-Credential-Hygiene
• https://circleci.com/blog/jan-4-2023-incident-report/
• https://thehackernews.com/2023/01/circleci-urges-customers-to-rotate.html