DEVOPSdigest

CircleCI released several new security and compliance capabilities to aid developers to trust and maintain the stability of their software.

“As the complexities of software development increases, there is a pertinent need for developer teams to more seamlessly integrate the latest and most advanced security features available,” said Jim Rose, CEO of CircleCI. “We are continuously evolving our security standards and introducing features that improve the security of our customers’ build pipelines and their ability to smartly manage risk.”

CircleCI’s platform additions include:

■ Flexible compliance with Config Policies

To provide customers an additional layer of control and compliance, CircleCI utilized Open Policy Agent, an industry standard policy engine, to create Config Policies, which offers the most flexible approach to organizational governance on the market today. Through self-serve configuration as code, they simultaneously allow for flexibility and individual team empowerment while also enabling greater organizational alignment.

CircleCI’s policy enforcement allows organizations to quickly apply common rules like orb allowances, or write deeply customized rules enforcing access to credentials, resources, and functions. Customers have the ability to enforce a multitude of company policy use cases spanning from cost-control to compliance. Such use cases include:

- Force security related jobs to run in pipelines

- Control how contexts are or are not being used

- Control use of docker containers and executors

- Allow and disallow specific orbs or versions

■ Server 4.1 with AirGap support

This release includes AirGap support. With this latest release, CircleCI’s server can now be installed on an isolated network and provide core functionality without access to an internet connection.

CircleCI server 4.1 is designed to meet the strictest security, compliance, and regulatory requirements. This self-hosted solution offers the ability to scale under load and run multiple services at once, all within a team's Kubernetes cluster and network with the full CircleCI cloud experience.

■ More granular secret enhancements

Integrations with OpenID Connect ID (OIDC) remove the need for customers to store long lived secrets (passwords, api keys, etc) in the CircleCI system. It provides a short lived token which can be used to access a system that supports OIDC and allows you to assign CircleCI as a trusted actor. OIDC support was recently enhanced to include granular control of CircleCI’s access in customer’s 3rd party tools like AWS.

Other secret enhancements include:

- Project restricted contexts that allow an organization to limit contexts to a specific set of projects.

- An updated Context UI that includes a “created at” and “updated” at timestamp. This allows customers to quickly assert the status of long lived secrets.

- A script for secret finding in order to create an actionable list for secrets rotation.