Skip to content

The 24 CircleCI security checks Black Cat runs

Black Cat SSPM evaluates 24 security policies against your CircleCI configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

mediumNo Groups Defined

Create organization groups in CircleCI to scope context access to specific teams

highUnrestricted Context

Add project or group restrictions to CircleCI contexts to limit which pipelines can access secrets

highUser Checkout Key

Replace user checkout keys with project deploy keys to limit VCS repository access

mediumOIDC Not Configured

Configure OIDC token claims in CircleCI to enable keyless cloud authentication without stored credentials

lowEmpty Group

Remove empty groups or add members to maintain accurate access control

mediumLarge Group

Review large groups and split them into smaller, role-based groups for tighter access control

mediumOIDC Default Audience

Set a specific OIDC audience to restrict where CircleCI tokens are accepted

configuration

mediumConfig Policies Disabled

Enable config policies in CircleCI organization settings to enforce pipeline standards

lowConfig Policies Soft Fail

Switch config policy enforcement from soft_fail to hard_fail to block non-compliant pipelines

highForked PR Builds Enabled

Disable forked pull request builds to prevent untrusted code from accessing CI secrets

highWebhook Insecure URL

Update CircleCI webhook URLs to use HTTPS to protect build event data in transit

mediumWebhook Unverified TLS

Enable TLS certificate verification on CircleCI webhooks to prevent man-in-the-middle attacks

mediumStale Runner

Investigate and decommission self-hosted runners that have not contacted CircleCI in over 7 days

lowSchedule Non-Default Branch

Review scheduled pipelines targeting non-default branches and update to target the default branch if appropriate

mediumPipeline Deprecated Image

Replace deprecated circleci/ Docker images with maintained cimg/ equivalents in pipeline config

highWebhook No Signing Secret

Configure a signing secret on CircleCI webhooks to verify payload authenticity

mediumPipeline Machine Executor

Replace machine executors with Docker executors to improve isolation between pipeline jobs

mediumPipeline Setup Remote Docker

Review usage of setup_remote_docker and ensure Docker-in-Docker is necessary for the pipeline

mediumExcessive Orb Allowlist

Reduce the orb allowlist to only actively used and trusted orbs to limit supply chain risk

lowRunner Without Name

Assign a descriptive name to self-hosted runners to improve auditability

lowSchedule Without Description

Add a description to scheduled pipelines to document their purpose and ownership

data leakage

mediumExcessive Env Vars

Reduce project-level environment variables by migrating shared secrets to contexts or OIDC tokens

criticalPipeline Hardcoded Secrets

Remove hardcoded secrets from pipeline config and store them in CircleCI contexts or environment variables

third party risk

mediumOrb Allowlist Empty

Configure an orb allowlist to restrict which third-party orbs pipelines may use

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial