DroneCI Token
Bridgecrew Policy ID: BC_GIT_37
Chekov Check ID: CKV_SECRET_37
Severity: LOW
DroneCI Token
Description
The remote API uses access tokens to authorize requests. You can retrieve an access token in the Drone user interface by navigating to your user profile. Authorization to the API is performed using the HTTP Authorization header. Provide your token as the bearer token value.
If your repository is private or requires authentication to clone, Drone injects the credentials into your pipeline environment. Drone uses the oauth2 token associated with the repository owner as the clone credentials.
Fix - Buildtime
DroneCI
Step 1: Revoke the token
- On the DroneCI page, click on your avatar, then Account
- Click on Security
- In the API Tokens section, find the compromised token
- Click on Delete
Step 2: Monitor for abuse
Updated 10 months ago