Drone CI API Token
Service Name: Drone CI
Service Description: Drone is a Continuous Integration platform built on container technology. It uses a simple YAML configuration file, a superset of docker-compose, to define and execute Continuous Integration pipelines inside Docker containers.
Service Address: https://www.drone.io/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the server level through network policies or reverse proxies, but not directly at the token level.
Secret Access Scope: Grants programmatic access to Drone CI API, allowing management of repositories, builds, secrets, and other CI/CD pipeline resources.
Secret Revokement URL: https://docs.drone.io/api/users/user_token_delete/
Secret Example: drn.eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXh0Ijoic2FtcGxlX3Rva2VuIiwib mFtZSI6ImRyb25lX3Rva2VuIn0.1234567890abcdefghijklmnopqrstuvwxyz
Suspicious Activity Investigation Instructions:
- Review Drone CI logs for unusual build triggers or repository access
- Check for unauthorized repository additions or modifications
- Monitor for changes to build configurations or secret environment variables
- Examine build history for unauthorized or unusual build patterns
- Review user activity logs for suspicious login patterns or API calls
Mitigation Instructions:
-
Log into your Drone CI account and navigate to the user settings
-
Locate the compromised token in the "User Tokens" section
- Delete the compromised token by clicking the delete button
- Generate a new token if needed with appropriate permissions
- Update any legitimate applications or services using the old token
- Review and audit repository access permissions
- Enable audit logging if not already enabled
- Consider implementing IP restrictions at the server level if possible