CircleCI
Discover organizations/projects, pipelines/workflows/jobs, contexts & env vars, tokens, orbs, runners and webhooks. Govern non-human identities (jobs, runners, tokens, orbs) and their effective permissions — stop risky actions before impact.
What the connector discovers
- Organizations, Projects & VCS
Org inventory, projects and VCS links (GitHub/GitLab/Bitbucket); OIDC settings for deployments, project-level config sources and permissions.
- Pipelines, Workflows & Jobs
Recent pipelines & workflows (status), scheduled triggers, approval jobs, artifact paths, cache usage and external publishing hints.
- Contexts & Environment Variables
Contexts attached to projects/workflows, env vars (names only) & scoping, masking/protection hints and rotation windows (no secret values).
- Runners — Cloud & Self-Hosted
Runner fleets, resource classes, self-hosted runner tokens/labels, isolation & network posture for sensitive jobs.
- Orbs & Integrations
Orbs in use (versions, sources), third-party integrations and potential egress/privilege paths introduced by orbs.
- Tokens & Webhooks
User/project tokens (metadata), webhook endpoints, event subscriptions and owner attestations.
- Effective Permissions
Identity (runner/job/token/orb) → permissions → repository/environment → allowed actions at time-of-execution.
CircleCI runs builds & deployments across your repos and clouds. Jobs, runners, contexts and orbs can move code and secrets at scale. ClarioSec adds **runtime governance**: drift-aware scoring, pre-execution controls and audit-grade narratives.
Drift-aware risk scoring
Baselines per project/job; peer groups by team; detect expansion of contexts/env vars, ownerless orbs/hooks, risky publish steps (e.g., external registries/buckets) and anomalous pipeline bursts.
Pre-execution enforcement
Allow / Alert / Block / Approve with governed overrides. JIT approvals before secret/context use, restrict jobs to approved runners, and enforce egress & artifact publishing guardrails.
Audit-grade narratives
Each decision yields **rule → reason → proof → control map** (SOC 2, GDPR, ISO/IEC 27001 & 42001, AI Act), including before/after permissions, affected repos/environments and owner context.
Connect CircleCI
ClarioSec uses **CircleCI API v2** with a read-oriented token (Org/Project). For CircleCI Server, provide the **base URL** of your installation.
- 1) Create a Personal API Token
User settings → Personal API Tokens → Create New Token. Prefer a dedicated service user with least access to read org/project metadata.
- 2) (Optional) Project Tokens
For stricter scoping, create project-level tokens to enumerate pipelines, workflows, jobs and contexts for specific projects only.
- 3) Provide VCS context
ClarioSec correlates CircleCI projects to their VCS (GitHub/GitLab/Bitbucket) for effective permission analysis.
- 4) Add in ClarioSec
Open the CircleCI connector and paste Base URL (if server) and API Token(s). We store credentials per-tenant and honor rate limits.
High-value signals via CircleCI API v2 (metadata only):
- /orgs, /projects, /pipelines, /workflow, /job, /context, /runner, /webhook endpoints (where applicable)
- Contexts & env var names (masked/protected hints), tokens (metadata), orbs (source/version)
- Runner definitions (cloud/self-hosted), resource classes & labels; pipeline approval steps
Endpoint family: CircleCI API v2 (Cloud/Server) — read-only usage for discovery & governance.
- Ownerless orbs & webhooks
Orbs without owners or pinned versions; webhooks to external endpoints without review.
- Context/secret sprawl
Many contexts with overlapping env vars; secrets not rotated; contexts attached broadly to projects.
- Runner exposure
Self-hosted runners shared across many projects; permissive labels enabling privileged jobs from untrusted repos.
- Risky publish/egress steps
Pipelines pushing containers/artifacts to external registries/buckets without approvals.
- JIT approvals for secret/context use and external publish
- Automatic permission minimization & rotation guidance (contexts/tokens)
- Enforce runner isolation and orb pinning for sensitive pipelines
- Audit-grade narratives mapped to SOC 2 / GDPR / ISO / AI Act
Ready to govern CircleCI pipelines, runners and secrets at runtime?
Move from CI/CD posture to provable behavior — identity → permission → action → narrative.