Travis CI flaw exposed thousands of open-source projects’ secrets

Ryan Daws is a senior editor at TechForge Media, with a seasoned background spanning over a decade in tech journalism. His expertise lies in identifying the latest technological trends, dissecting complex topics, and weaving compelling narratives around the most cutting-edge developments. His articles and interviews with leading industry figures have gained him recognition as a key influencer by organisations such as Onalytica. Publications under his stewardship have since gained recognition from leading analyst houses like Forrester for their performance. Find him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)


A flaw in popular software testing tool Travis CI exposed the secrets of thousands of open-source projects.

Travis CI is a hosted continuous integration service used to build and test software projects hosted on GitHub and Bitbucket.

For at least a week – between 3-10 Sept – open-source repos that used Travis CI had their keys, credentials, and tokens exposed.

Ethereum developer Felix Lange discovered a flaw with how Travis CI handled environmental variables. Lange found that a public repo that had been forked from another could file a pull request that collects the secret environmental variables in the original upstream repository.

Péter Szilágyi, an Ethereum team leader, tweeted about the incident and the lacklustre response:

An analysis (PDF) from 2019 found that Travis CI was used for more than 932,977 open-source projects, a number that is likely even larger today.

Just look at the number of results following a GitHub code search for the travis.yml configuration file:

Travis CI did silently patch the vulnerability on 10 Sept, three days after it was reported. However, many developers aren’t happy that Travis CI seemingly attempted to sweep the whole incident under the rug and hasn’t been forthcoming with information:

Elsewhere on its website, Travis CI posted advice that “cycling your secrets is something that all users should do on a regular basis.”

(Photo by krakenimages on Unsplash)

Want to learn about DevOps from leaders in the space? Check out the DevOps-as-a-Service Summit on 1 February 2022, where attendees will learn about the benefits of building collaboration and partnerships in delivery.

Tags: , , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *