cloud based CI/CD issues – travis-ci


Travis-CI published a security bulletin the other day, describing a special condition that would allow to access secrets belonging to a foreign repository in Github or Bitbucket. The condition requires a fork from a public repository. That’s how open source work, and very central functionality. Not a corner case.

Turns out, the cloud service did address the issue, still plenty of secrets have been affected:

While cloud technology is all great economically, this is another sample of why commercial software vendors need to consider third party vendors in their threat profiles.