AppVeyor Config Exposure
Description
Detects publicly accessible AppVeyor configuration files which may leak sensitive information.
Remediation
To remediate AppVeyor Config Exposure:
- Rotate any exposed secrets, such as API keys or passwords, that were present in the configuration file.
- Remove sensitive data from the AppVeyor configuration file (
appveyor.yml) and use encrypted variables or secure storage for sensitive information. - Update the
.gitignorefile to exclude configuration files containing sensitive data from being committed to version control. - Review access controls and permissions to ensure that only authorized personnel can view or edit the CI/CD configuration.
- Audit commit history to check if sensitive data was committed previously and use tools like BFG Repo-Cleaner or
git filter-branchto remove it from the history. - Implement a policy for code reviews to catch accidental commits of sensitive data in the future.
- Regularly scan your repositories for exposed secrets using automated tools.
- Enable branch protection rules to prevent direct pushes to critical branches and enforce pull requests for code changes.
- Educate team members about the importance of handling sensitive data securely within CI/CD pipelines.
- Monitor and set up alerts for any unusual activity in the CI/CD environment that could indicate a security breach.
Configuration
Identifier:
information_disclosure/appveyor_config_exposure
Examples
Ignore this check
checks:
information_disclosure/appveyor_config_exposure:
skip: true
Score
- Escape Severity: HIGH
Compliance
- OWASP: API8:2023
- pci: 2.2
- gdpr: Article-32
- soc2: CC6
- psd2: Article-95
- iso27001: A.12.6
- nist: SP800-123
- fedramp: AC-22