For 7 days Travis CI pull requests were including secure environment vars in public repositories.


Signing keys, access credentials and API tokens may have been leaked, which could be used to gain a foothold onto thousands of customer networks.

Affected Products

Public repositories using TravisCI.

Containment, Mitigations & Remediations

Travis CI recommend you rotate your secrets. They have not reached out to affected parties or made any serious attempt to inform the public about the issue.

Based on the vendor response, the security researchers who found the vulnerability recommend switching away from Travis CI altogether.

Threat Landscape

In 2019 the company was acquired and a large portion of their development team was fired.

Mitre Methodologies

T1555 – Credentials from Password Stores

Further Information

Travis CI Security Bulletin
Carmen H. Andoh on Twitter