Finding Secrets In Travis CI

How to find information leaks at scale with a few command line tools

At SecApps we pride ourselves on having one the most complete information security toolkit with fully-managed services and tools available directly from your very own browser. However, there are some tasks that can be better done with a bit of command-line magic.

In this tutorial we will explore two command-line tools available in our open-source PownJS security toolkit: travis and leaks. We will use the combination of both to quickly scan the target Travis CI logs and look for interesting information.

Setup

Before we start, those of you who do not already have pown must install it with the node npm utility. If you don’t have Node.js, get it with your system package manager. Once node and npm are on your system (keep in mind you can simply use docker like this: docker run -it node /bin/bash) install pown with the following command: npm install -g pown.

If you happen to have pown already installed, ensure that you’ve got the latest version. This task is easily achieved by using the following command: pown update. Now we are ready to go.

What is Travis CI

Travis CI is a popular continuous integration platform for open source projects with direct integration to GitHub. Developers are using Travis for all kinds of common activities, from building personal blogs to compiling libraries and more. Some tasks may require special setup to work. For example, deploying a blog may require some credentials for a Github, AWS S3 or some other type of account. These credentials are securely stored either in Travis itself or in the build configuration files as encrypted strings so that nobody can see them but the build scripts.

Although these secret strings are encrypted, it does not mean they are secure. In fact, just like any other build process, things can get very wrong. A debug trace dump could reveal vital information that was not exposed otherwise in the build file. Some environment variables may contain hints and in some cases actual passwords to production systems. Error messages and some other verbose logging can reveal access tokens. In order to discover all of them we need to download all travis logs and scan them. This is what we are doing next.

Dumping The Travis CI Logs

The Travis CI build logs are available publicly for all open source projects. This means that we can easily retrieve them with nothing but a browser. However, some projects may hold hundreds of logs and so manually exploring them is just painful exercise which must be automated. Luckily, the pown toolkit contains one command that helps us automate this particular task easily.

To dump the logs of any Travis repository simply type the following: pown travis dump $ORG. In this example $ORG is the variable which holds the organisation name such as razor, roblox, or any other organisation that is, or has been using Travis CI in the past.

This step can take some time depending on the amount of logs. The tool will recursively dig into each individual repository associated with the target organisation and download the logs and the configuration files associated with each build step.

You can see from the screenshot above that the logs can get pretty large. While 75 megabytes is not a lot of space, this is enough to fit about 120+ books as simple text files.

Scanning For Secrets

Now that we have all logs downloaded locally, it is time to find secrets. This step is also fairly trivial if you have the right tools and so it happens that this is the case with the pown toolkit.

Pown Leaks is a command-line tool and a database of patterns that help you identify secrets: github tokens, AWS credentials, passwords and much more. You can support the secrets database directly on our GitHub project. Your changes will be incorporated into the next version of the pown toolkit.

Using the tool is straightforward: pown leaks. The location argument can be anything including a file, a directory or a URL. The last one is particularly interesting and we will explore in some other tutorial.

To start the hunt fire off the tool into the local directory where we dumped the Travis CI logs in the previous steps. Some particular flags you might want to use include --unique and --json. In this example we simply used the verbose flag which is suitable for demonstration purposes but with the additional flags we can really get interesting results quickly.

Conclusion

In this tutorial we have learned how to dump the travis logs and search for secrets in two very quick steps everyone can follow and execute. With a bit of luck we can even find some interesting secrets the project owners have mistakenly leaked and therefore could potentially open the gates to other mischievous activities. You better rotate these secrets as soon as possible and follow up with a full audit on all systems affected.

Additionally, if you are interested to discover and continuously track secrets and other security deficiencies in build logs, source repositories and library modules across your entire developer estate, you might be interested to check out SecApps Devcore.