GoCD API Token
Service Name: GoCD
Service Description: GoCD is an open-source continuous delivery server that helps organizations automate and streamline their software delivery process. It provides visualization of complex workflows and supports parallel and sequential execution of tasks.
Service Address: https://www.gocd.org/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the server level through GoCD's security configuration.
Secret Access Scope: Grants programmatic access to GoCD's REST API, allowing users to interact with pipelines, agents, configurations, and other GoCD resources.
Secret Revokement URL: https://docs.gocd.org/current/configuration/access_tokens.html
Secret Example: d290f1ee-6c54-4b01-90e6-d701748f0851
Suspicious Activity Investigation Instructions:
- Review GoCD server logs for unusual API calls or access patterns.
- Check for unauthorized pipeline modifications or executions.
- Monitor for configuration changes that weren't approved.
- Examine agent registration and communication patterns for anomalies.
- Review audit logs for suspicious user activities or authentication attempts.
Mitigation Instructions:
- Log in to the GoCD server as an administrator.
- Navigate to the Admin > Personal Access Tokens section.
- Locate the compromised token and click Revoke.
- Generate a new token if needed, with appropriate permissions.
- Update any legitimate applications or scripts that were using the revoked token.
- Consider implementing more restrictive token permissions for future tokens.
- Review and update your GoCD security configuration to prevent similar incidents.