Skip to content

Drone CI API Token

Service Name: Drone CI

Service Description: Drone is a Continuous Integration platform built on container technology. It uses a simple YAML configuration file, a superset of docker-compose, to define and execute Continuous Integration pipelines inside Docker containers.

Service Address: https://www.drone.io/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the server level through network policies or reverse proxies, but not directly at the token level.

Secret Access Scope: Grants programmatic access to Drone CI API, allowing management of repositories, builds, secrets, and other CI/CD pipeline resources.

Secret Revokement URL: https://docs.drone.io/api/users/user_token_delete/

Secret Example: drn.eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXh0Ijoic2FtcGxlX3Rva2VuIiwib mFtZSI6ImRyb25lX3Rva2VuIn0.1234567890abcdefghijklmnopqrstuvwxyz

Suspicious Activity Investigation Instructions:

  • Review Drone CI logs for unusual build triggers or repository access
  • Check for unauthorized repository additions or modifications
  • Monitor for changes to build configurations or secret environment variables
  • Examine build history for unauthorized or unusual build patterns
  • Review user activity logs for suspicious login patterns or API calls

Mitigation Instructions:

  • Log into your Drone CI account and navigate to the user settings

  • Locate the compromised token in the "User Tokens" section

  • Delete the compromised token by clicking the delete button
  • Generate a new token if needed with appropriate permissions
  • Update any legitimate applications or services using the old token
  • Review and audit repository access permissions
  • Enable audit logging if not already enabled
  • Consider implementing IP restrictions at the server level if possible