Application developers using the CircleCI continuous integration platform are being urged to rotate all secrets — including passwords, API keys, and digital certificates — stored in the system, after the discovery of an unspecified security incident.
In a blog Wednesday, company chief technology officer (CTO) Rob Zuber said this includes secrets stored in project environment variables or in contexts.
The company also recommends users review internal logs for their systems for any unauthorized access starting from December 21, 2022, or upon completion of their secrets rotation.
If a project uses Project API tokens, they have been invalidated by CircleCI and will have to be replaced.
In response to a question on the company’s discussion forum, a staffer said rotation includes SSH keys, Jira and Slack integration tokens and webhook secrets.
“We apologize for any disruption to your work,” Zuber added. “We take the security of our systems and our customers’ systems extremely seriously. While we are actively investigating this incident, we are committed to sharing more details with customers in the coming days.
“At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well.”
The San Francisco-based company says over one million DevOps software engineers use CircleCI and its automation engine to create applications for multiple environments, including Docker.
In November, it joined the Amazon Web Service (AWS) Service Ready Program for Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances. CircleCI counts Cisco, Peloton, and HashiCorp among its customers.