Seven Years Later, Travis CI Is Still Insecure
Seriously, why are you still using Travis CI? Yeah, I know they were one of the first Continuous Integration (CI) programs. That was then. This is now. Since then first in 2015, then in 2019, then yet again in 2021, and now — yes, now — Travis CI Logs have been revealed one more time to expose its programmers to attacks.
What is wrong with you people!?
Yes, Travis CI gets the lion’s share of the blame. In its research, Aqua Security found that tens of thousands of user tokens are still exposed via the Travis CI Application Programming Interface (API). With these, you get historical clear-text logs. And, with those 770 million logs of free tier users, it’s child-play to copy and paste tokens, secrets, and other credentials for GitHub, Amazon Web Services (AWS), and Docker Hub users.
Do I need to spell this out for you? Armed with this sensitive data, attackers can launch massive cyberattacks and make lateral attacks across the clouds.
Vulnerability by Design
Do you know what’s really annoying about all this? The root vulnerability is by design.
I quote from the documentation: “When you run a build, Travis CI clones your GitHub repository into a brand-new virtual environment and carries out a series of tasks to build and test your code.” Now, that’s not so bad. But it also copies over all your secrets. That’s not cool.
Aqua told Travis CI that the problem is still there. And Travis CI replied, essentially, they still don’t care. The issue is “by design.”
Right. OK, then.
Travis CI has taken some steps. They’ve introduced API adaptive rate limiting to keep hackers from brute-force attacks. Travis CI has also obfuscated secrets and tokens. But as Aqua points out, it’s not enough,
Aqua recommends you change your secrets immediately. I recommend you look elsewhere for your CI services.
Leaving aside that you shouldn’t have secrets in your code anyway, the sad truth is they often are in there and Travis CI makes it all too easy to get at them.
The cloud providers and developer sites are taking it more seriously. Some have initiated a key rotation for their users. It’s not enough, but it’s better than nothing.
You see Aqua ran some experiments and found that via a Travis API you could dig into CI logs. How many logs? Potentially about 770 million logs.
Yeah, that’s a lot. And once you’ve extracted the secrets from them — since people tend to use the same secrets over and over again — you can pry open current projects from everywhere. (When it comes to security, we’re such idiots.) Specifically, Aqua’s researchers found secrets associated with GitHub, AWS, and Docker Hub.
With Aqua’s own Trivy Open Source, it’s trivial to scan for hard-coded secrets. Trivy scans any container image, filesystem, or Git repository for exposed passwords, API keys, or tokens.
The most popular of these secrets include GitHub access tokens; AWS access keys, email/username, and password combinations; and Docker Hub passwords. People, people stop putting your secrets into your code.
Aqua has its own list of suggestions of what to do to mitigate your risks and protect your CI environments:
- Establish a rotation policy for keys, tokens, and other secrets.
- Apply the least-privilege principle to keys and tokens when applicable.
- Don’t print secrets, tokens, or credentials in logs.
- Regularly scan your artifacts for secrets.
- Use a cloud security posture management (CSPM) solution that indicates the optimal time to rotate keys. You can scan your account, check the rotation cadence, and see if you applied the least-privilege policy.
- Scan your CI/CD environment with a supply chain security solution such as Argon to find exposed secrets, tokens, and credentials and make sure that your account configuration is aligned with best practices.
I’ve been harsh on Travis CI. But you know what, we all need to be a lot better about our security practices. If you didn’t put high-value secrets in your code, no one would care about your logs. If we all work at it, using Aqua’s suggestions as a good starting point, we’ll all have much more secure code.