Skip to main content

AppVeyor Config Exposure


Detects publicly accessible AppVeyor configuration files which may leak sensitive information.


To remediate AppVeyor Config Exposure:

  1. Rotate any exposed secrets, such as API keys or passwords, that were present in the configuration file.
  2. Remove sensitive data from the AppVeyor configuration file (appveyor.yml) and use encrypted variables or secure storage for sensitive information.
  3. Update the .gitignore file to exclude configuration files containing sensitive data from being committed to version control.
  4. Review access controls and permissions to ensure that only authorized personnel can view or edit the CI/CD configuration.
  5. Audit commit history to check if sensitive data was committed previously and use tools like BFG Repo-Cleaner or git filter-branch to remove it from the history.
  6. Implement a policy for code reviews to catch accidental commits of sensitive data in the future.
  7. Regularly scan your repositories for exposed secrets using automated tools.
  8. Enable branch protection rules to prevent direct pushes to critical branches and enforce pull requests for code changes.
  9. Educate team members about the importance of handling sensitive data securely within CI/CD pipelines.
  10. Monitor and set up alerts for any unusual activity in the CI/CD environment that could indicate a security breach.


Identifier: information_disclosure/appveyor_config_exposure


Ignore this check

skip: true


  • Escape Severity: HIGH


  • OWASP: API8:2023
  • pci: 2.2
  • gdpr: Article-32
  • soc2: CC6
  • psd2: Article-95
  • iso27001: A.12.6
  • nist: SP800-123
  • fedramp: AC-22