CircleCI adds more security and compliance capabilities to its platform

CircleCI has unveiled a new suite of platform capabilities and integrations. Today, software teams are building at greater velocity while relying on a variety of dependent software. And with the interconnectedness of modern businesses, coupled with the increasing rate of change in the software ecosystem, it’s hard for these teams to release code with the utmost confidence.

This underscores the need for practices such as CI/CD, which has become the lynchpin of the software development pipeline.

CircleCI released several new security and compliance capabilities to aid developers to trust and maintain the stability of their software.

“As the complexities of software development increases, there is a pertinent need for developer teams to more seamlessly integrate the latest and most advanced security features available,” said Jim Rose, CEO of CircleCI. “We are continuously evolving our security standards and introducing features that improve the security of our customers’ build pipelines and their ability to smartly manage risk.”

“Large-scale enterprise teams can find adopting and scaling widespread best practices in software delivery across teams, departments, and geographies challenging,” said Jim Mercer, Research VP of DevOps and DevSecOps IDC. “With these new capabilities, CircleCI provides a practical approach to managing current and future software delivery security requirements.”

CircleCI’s platform additions include:

Flexible compliance with Config Policies

It can be difficult for engineering teams to manage and enforce organization-wide conventions and adherence to software delivery policy. To provide customers an additional layer of control and compliance, CircleCI utilized Open Policy Agent, an industry standard policy engine, to create Config Policies, which offers the flexible approach to organizational governance.

Through self-serve configuration as code, they simultaneously allow for flexibility and individual team empowerment while also enabling greater organizational alignment.

CircleCI’s policy enforcement allows organizations to apply common rules like orb allowances, or write deeply customized rules enforcing access to credentials, resources, and functions.

Customers have the ability to enforce a multitude of company policy use cases spanning from cost-control to compliance.

Such use cases include:

• Force security related jobs to run in pipelines
• Control how contexts are or are not being used
• Control use of docker containers and executors
• Allow and disallow specific orbs or versions

“Development teams desire autonomy in selecting the tools that work best for them, while at the same time security and compliance teams are interested in governance of the overall estate. Both groups are crucial to successful creation of software. Helping engineering teams to standardize their processes across their projects and across different teams is imperative for effective collaboration. By releasing features like Config Policies, CircleCI is working to provide choice with guardrails and enable speed and quality across development organizations,” said Rachel Stephens of RedMonk.

Server 4.1 with AirGap support

This release includes AirGap support. With this latest release, CircleCI’s server can now be installed on an isolated network and provide core functionality without access to an internet connection.

CircleCI server 4.1 is designed to meet the strictest security, compliance, and regulatory requirements. This self-hosted solution offers the ability to scale under load and run multiple services at once, all within a team’s Kubernetes cluster and network with the full CircleCI cloud experience.

More granular secret enhancements

Integrations with OpenID Connect ID (OIDC) remove the need for customers to store long lived secrets (passwords, api keys, etc) in the CircleCI system.

It provides a short lived token which can be used to access a system that supports OIDC and allows you to assign CircleCI as a trusted actor. OIDC support was recently enhanced to include granular control of CircleCI’s access in customer’s 3rd party tools like AWS.

Other secret enhancements include:

• Project restricted contexts that allow an organization to limit contexts to a specific set of projects.
• An updated Context UI that includes a “created at” and “updated” at timestamp. This allows customers to quickly assert the status of long lived secrets.
• A script for secret finding in order to create an actionable list for secrets rotation.