I don't have a ton of projects using CircleCI, but found https://github.com/CircleCI-Public/CircleCI-Env-Inspector to report where secrets live.
README currently is weak, but https://github.com/CircleCI-Public/CircleCI-Env-Inspector/issues/6.
For those who do have a ton of projects like my workplace (589 repos!) here is a little #babashka thing to rotate all of your CircleCI deploy SSH keys in GitHub: https://gist.github.com/lispyclouds/7752a72f388ad5136f3a1d3843ceb9e8 hopefully this is helpful to someone! 😄
@rahul080327 some of us had guessed if the GitHub deploy keys were read-only that maybe we could not bother rotating them. Thoughts?
well its fine for OSS repos i think. kinda big deal for proprietary things like company code. attackers can clone stuff
Right! Thanks!