Agent RulesAgent Rules
CI

CircleCI Security

Context management, secret rotation, OIDC authentication, and pipeline hardening

CircleCI
Security
security
contexts
oidc
secrets
Use in BuilderAll CircleCI Options

Details

Language / Topic
circleciCircleCI
Category
Security

Rules

balanced
- Use contexts to group and manage secrets — never store sensitive values as plaintext in config.yml
- Restrict context access with security groups, expression restrictions, or project-based restrictions
- Use OIDC tokens (OpenID Connect) for cloud provider authentication instead of storing long-lived AWS/GCP/Azure credentials
- Rotate secrets regularly and use environment-scoped variables to limit blast radius of compromised credentials
- Enable secrets masking to prevent environment variables from appearing in job output logs
- Use contexts for all secrets — group related credentials (aws-prod, gcp-staging) and assign to specific workflows via context: key
- Restrict context access: use security groups (VCS teams), expression restrictions (branch-based), or project-based restrictions to limit which jobs can use a context
- Use OIDC tokens for cloud authentication: configure CircleCI as an identity provider in AWS/GCP/Azure and request short-lived tokens in jobs via $CIRCLE_OIDC_TOKEN
- Never hardcode secrets in config.yml — use project-level or context-level environment variables set through the CircleCI UI or API
- Rotate secrets on a regular schedule — especially after team member departures or security incidents
- Enable secrets masking: CircleCI automatically masks environment variables in logs when set via Contexts or Project Settings
- Use environment-scoped contexts: separate prod-deploy-context from staging-deploy-context to isolate credential access
- Scope secrets to minimal permissions: CI service accounts should have only the permissions the pipeline actually needs
- Use config policies (Open Policy Agent) to enforce organizational rules: require contexts on deploy jobs, block certain orb versions
- Audit context usage regularly through CircleCI audit logs to track which pipelines access which secrets
- Validate OIDC token claims (oidc.circleci.com/vcs-origin) in cloud provider trust policies to prevent forked builds from accessing production resources