Percy API Token
Service Name: Percy
Service Description: Percy is a visual testing and review platform that helps teams catch visual UI changes during the development process. It automates visual regression testing by capturing screenshots and comparing them against baselines to identify visual differences.
Service Address: https://percy.io/
Validation Type: API Auth
IP Allow list: Does not exist
Secret Access Scope: Grants access to Percy projects, builds, and allows uploading screenshots for visual testing. Can be used to create new builds, upload snapshots, and finalize builds through the Percy API.
Secret Revokement URL: https://percy.io/organizations/[organization-name]/settings/tokens
Secret Example: percy_token_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
Suspicious Activity Investigation Instructions:
- Review Percy dashboard for unexpected builds or snapshots
- Check project activity logs for unauthorized access or unusual build patterns
- Examine build history to identify any builds initiated from unexpected sources
- Review organization audit logs for suspicious token usage
- Monitor for unusual spikes in snapshot comparisons or build frequency
Mitigation Instructions:
- Log in to your Percy account and navigate to Organization Settings
-
Go to the "Access Tokens" section
-
Locate the compromised token and click "Revoke"
- Create a new token with appropriate permissions if needed
- Update all legitimate CI/CD pipelines and integrations with the new token
- Consider implementing project-specific tokens rather than organization-wide
tokens
- Review and update access permissions for team members who might have had
access to the token