This site may contain outdated or incomplete information.
Secrets leak and other sensitive information due to a bug in Travis CI
Travis CI is a popular continuous integration (CI) and build service, originally forked from the Jenkins project, and later spun-off as a paid service. On September 23rd, 2021, they reported [1] that users and customers of their service, who had sensitive information in public repositories, and of which these were forked, had leaked these secrets in the build infrastructure logs were the CI service was ran.
Impact
- All public repositories that observed forks during the period of September 3rd and September 10th 2021
- Any environment variables that were used as protected secrets in the project’s configuration were leaked and available to CI runs in publicly forked repositories.
Remediation
- Travis CI notified users and customers to rotate their keys and secrets
Type of Compromise
Dev Tooling
References
- Travis CI Security Bulletin,
<https://travis-ci.community/t/security-bulletin/12081>.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.