DroneCI Token

Bridgecrew Policy ID: BC_GIT_37
Chekov Check ID: CKV_SECRET_37
Severity: LOW

DroneCI Token


The remote API uses access tokens to authorize requests. You can retrieve an access token in the Drone user interface by navigating to your user profile. Authorization to the API is performed using the HTTP Authorization header. Provide your token as the bearer token value.

If your repository is private or requires authentication to clone, Drone injects the credentials into your pipeline environment. Drone uses the oauth2 token associated with the repository owner as the clone credentials.

Fix - Buildtime


Step 1: Revoke the token

  1. On the DroneCI page, click on your avatar, then Account
  2. Click on Security
  3. In the API Tokens section, find the compromised token
  4. Click on Delete

Step 2: Monitor for abuse