Skip to content

Bitrise App Token

Service Name: Bitrise

Service Description: Bitrise is a continuous integration and delivery (CI/CD) platform as a service (PaaS) that enables developers to automate building, testing, and deploying mobile applications.

Service Address: https://bitrise.io/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the organization level through the Security Settings.

Secret Access Scope: Grants programmatic access to Bitrise resources, allowing users to trigger builds, access app information, and manage workflows through the Bitrise API.

Secret Revokement URL: https://app.bitrise.io/me/profile#/security

Secret Example: tQp2sRSGQh3RdHxTc4qIwJM5IBCfAJ1S

Suspicious Activity Investigation Instructions:

  • Review the Bitrise dashboard for unusual build activities or unauthorized app access.
  • Check build logs for unexpected workflow executions or configuration changes.
  • Monitor for unauthorized access to connected repositories or deployment targets.
  • Review the audit logs for suspicious API calls or authentication attempts.
  • Check for unexpected changes to workflow configurations or environment variables.

Mitigation Instructions:

  • Log in to your Bitrise account at https://app.bitrise.io/.
  • Navigate to your profile by clicking on your avatar in the top-right corner.
  • Select "Account settings" from the dropdown menu.
  • Go to the "Security" tab.
  • Find the compromised token in the "Personal access tokens" section.
  • Click the "Revoke" button next to the token.
  • Generate a new token if needed, with appropriate permissions.
  • Update any CI/CD pipelines or integrations that were using the old token.
  • Review and update security settings, including enabling two-factor authentication if not already enabled.