Cloudsmith's response to CircleCI security incident
CircleCI, a Continuous Integration/Continuous Delivery service, disclosed on Wednesday that they were investigating a security incident that impacted their platform and customers. CircleCI included in the disclosure recommended actions all customers should take in response to the incident.
Cloudsmith leverage CircleCI as an orchestrator for our build and deployment processes, and when we became aware of the incident, we immediately followed the recommended set of actions.
Cloudsmith already has a policy to ensure secrets are rotated regularly. However, directly after the disclosure of the CircleCI incident, we rotated every secret held within the secure contexts of our pipelines. All access tokens, OAuth tokens, SSH keys, and PGP keys contained within these contexts were rotated.
As an additional measure, we have consulted with audit logs within CircleCI, our SCM service, and our internal services to verify that no unauthorized access attempts were made at any time. This has also been cross-referenced with our observability platforms.