The 24 CircleCI security checks Black Cat runs
Black Cat SSPM evaluates 24 security policies against your CircleCI configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Create organization groups in CircleCI to scope context access to specific teams
Add project or group restrictions to CircleCI contexts to limit which pipelines can access secrets
Replace user checkout keys with project deploy keys to limit VCS repository access
Configure OIDC token claims in CircleCI to enable keyless cloud authentication without stored credentials
Remove empty groups or add members to maintain accurate access control
Review large groups and split them into smaller, role-based groups for tighter access control
Set a specific OIDC audience to restrict where CircleCI tokens are accepted
configuration
Enable config policies in CircleCI organization settings to enforce pipeline standards
Switch config policy enforcement from soft_fail to hard_fail to block non-compliant pipelines
Disable forked pull request builds to prevent untrusted code from accessing CI secrets
Update CircleCI webhook URLs to use HTTPS to protect build event data in transit
Enable TLS certificate verification on CircleCI webhooks to prevent man-in-the-middle attacks
Investigate and decommission self-hosted runners that have not contacted CircleCI in over 7 days
Review scheduled pipelines targeting non-default branches and update to target the default branch if appropriate
Replace deprecated circleci/ Docker images with maintained cimg/ equivalents in pipeline config
Configure a signing secret on CircleCI webhooks to verify payload authenticity
Replace machine executors with Docker executors to improve isolation between pipeline jobs
Review usage of setup_remote_docker and ensure Docker-in-Docker is necessary for the pipeline
Reduce the orb allowlist to only actively used and trusted orbs to limit supply chain risk
Assign a descriptive name to self-hosted runners to improve auditability
Add a description to scheduled pipelines to document their purpose and ownership
data leakage
Reduce project-level environment variables by migrating shared secrets to contexts or OIDC tokens
Remove hardcoded secrets from pipeline config and store them in CircleCI contexts or environment variables
third party risk
Configure an orb allowlist to restrict which third-party orbs pipelines may use