Buildkite Agent Token

Bridgecrew Policy ID: BC_GIT_28
Chekov Check ID: CKV_SECRET_28
Severity: LOW

Buildkite Agent Token

Description

The Buildkite Agent requires an agent token to connect to Buildkite and register for work. If you are an admin of your Buildkite organization, you can view the tokens on your Agents page. When you create a new organization in Buildkite, a default agent token is created. This token can be used for testing and development, but it's recommended to create new, specific tokens for each new environment.

Fix - Git

Tokens can be revoked using the GraphQL API with the agentTokenRevoke mutation.

You need to pass your agent token as the ID in the mutation. You can get the token from your Buildkite dashboard, in Agents > Reveal Agent Token, or you can retrieve a list of agent token IDs using this query:

query GetAgentTokenID {
  organization(slug: "organization-slug") {
    agentTokens(first:50) {
      edges {
        node {
          id
          uuid
          description
        }
      }
    }
  }
}

Then, using the token ID, revoke the agent token:

mutation {
  agentTokenRevoke(input: {
    id: "token-id",
    reason: "A reason"
  }) {
    agentToken {
      description
      revokedAt
      revokedReason
    }
  }
}

Did this page help you?