An interactive CLI tool for fetching all of your secrets from CircleCI.
demo.mp4
You will need to first obtain a CircleCI Personal Access token from https://app.circleci.com/settings/user/tokens
- Note: This token must have access to the projects you want to inspect, consider using an org admin account's token
- Run the container.
docker run --name circleci-env-inspector -it circlecipublic/cci-env-inspector
- Follow the prompts and select which accounts you want to inspect.
- Copy the generated report from the container.
docker cp circleci-env-inspector:/project/circleci-data.json circleci-data.json
It is recommended to use Node version 18.10.
- Clone this repo
- Run
npm install
- Run
npm start
- Follow the prompts and select which accounts you want to inspect.
- Clone this repo
- Run
run.sh
from the root of the repo - Follow the prompts and select which accounts you want to inspect.
Click to expand
{
user: {
name: 'The authenticated user',
login: 'my-user',
id: 'xxxxxxxx-yyyy-xxxx-yyyy-xxxxxxxxxxxx',
},
accounts: [
{
name: 'Account Name',
id: 'xxxxxxxx-yyyy-xxxx-yyyy-xxxxxxxxxxxx',
vcstype: 'github',
contexts: [
{
name: 'my-context',
id: 'xxxxxxxx-yyyy-xxxx-yyyy-xxxxxxxxxxxx',
created_at: '2023-01-30T03:13:05.765Z',
url: 'https://circleci.com/<slug>/contexts/my-context-id',
variables: [
{
variable: 'MY_SECRET',
updated_at: '2023-01-30T03:13:05.765Z',
context_id: 'xxxxxxxx-yyyy-xxxx-yyyy-xxxxxxxxxxxx',
created_at: '2023-01-30T03:13:05.765Z',
}
]
}
],
}
],
projects: [
id: 'xxxxxxxx-yyyy-xxxx-yyyy-xxxxxxxxxxxx',
name: 'my-project',
slug: 'vcs/my-org/my-project',
variables: [{
name: 'MY_SECRET',
value: 'xxxxABC',
}],
keys: [
{
type: 'deploy-key | github-user-key',
preferred: true,
created_at: '2023-01-30T03:13:05.765Z',
public_key: 'XXX',
fingerprint: 'XXX',
}
],
legacyAWSKeys: {
access_key_id: 'xxx',
secret_access_key: 'xxx',
}
]
}
jq '.["projects"] | map(select(has("legacyAWSKeys")) | .slug)' circleci-data.json
Returns:
[
"vcs/my-org/my-project"
]
(We may build this ability into this tool in the future.)
jq '.["accounts"][] | .contexts | map(select(.variables[].updated_at >= (now - 302460*60 | strftime("%Y-%m-%dT%H:%M:%SZ")))) | .[].url' circleci-data.json
Returns:
"https://circleci.com/<vcs>/<project>/contexts/<id>"
"https://circleci.com/<vcs>/<project>/contexts/<id>"
jq '.["projects"] | map(select(.variables[].name | contains("AWS"))) | .[].slug' circleci-data.json
Returns:
[
"vcs/my-org/my-project"
]
A: No. This tool will only return the names of the secrets and as much information as can be provided by the CircleCI APIs. CircleCI does not return the values of secrets through their APIs. The information from this tool is for auditing and key rotation purposes.
A: When running this tool with your personal access token, it will probe all accounts and projects within that you currently have an affiliation with. The errors are likely expected and inform you that you may not have access in the case of a 403, or that the project or account no longer exists in the case of a 404. If you are seeing a 403 error, it may still be possible that you had access to the project at one point in the past.
This tool is useful for auditing your personal access. To fully audit an organization, you will need to use an org admin account's token.
A: Yes. Please open an issue or PR!
A: Making many connections over a long period of time can lead to network errors and rate limiting. If you want to intentionally slow down the rate of fetching projects, you can set the CCI_ENV_INSPECTOR_DELAY
environment variable to set the number of milliseconds between each request. The default is 0ms, if you experience any issues, try setting this between 200ms and 1000ms.