circleci

lread 2023-01-06T20:36:16.100599Z

I don't have a ton of projects using CircleCI, but found https://github.com/CircleCI-Public/CircleCI-Env-Inspector to report where secrets live.

lread 2023-01-06T20:37:15.841789Z

README currently is weak, but https://github.com/CircleCI-Public/CircleCI-Env-Inspector/issues/6.

lispyclouds 2023-01-07T08:29:42.655809Z

For those who do have a ton of projects like my workplace (589 repos!) here is a little #babashka thing to rotate all of your CircleCI deploy SSH keys in GitHub: https://gist.github.com/lispyclouds/7752a72f388ad5136f3a1d3843ceb9e8 hopefully this is helpful to someone! 😄

🆒 1
🎉 2
lispyclouds 2023-01-07T08:31:12.085239Z

@borkdude might be interested in this? 😛

👍 1
lread 2023-01-07T14:43:50.336549Z

@rahul080327 some of us had guessed if the GitHub deploy keys were read-only that maybe we could not bother rotating them. Thoughts?

lispyclouds 2023-01-07T15:26:25.572439Z

well its fine for OSS repos i think. kinda big deal for proprietary things like company code. attackers can clone stuff

lread 2023-01-07T16:05:04.186119Z

Right! Thanks!