CircleCI adds more security and compliance capabilities to growing CI/CD ecosystem

New integrations and platform enhancements aim to further empower developer teams to build software with more confidence

SAN FRANCISCO--()--CircleCI, the leading continuous integration and continuous delivery (CI/CD) platform, today announced a new suite of platform capabilities and integrations.

Today, software teams are building at greater velocity while relying on a variety of dependent software. And with the interconnectedness of modern businesses, coupled with the increasing rate of change in the software ecosystem, it’s hard for these teams to release code with the utmost confidence. This underscores the need for practices such as CI/CD, which has become the lynchpin of the software development pipeline.

Which is why today, CircleCI released several new security and compliance capabilities to aid developers to trust and maintain the stability of their software.

“As the complexities of software development increases, there is a pertinent need for developer teams to more seamlessly integrate the latest and most advanced security features available,” said Jim Rose, CEO of CircleCI. “We are continuously evolving our security standards and introducing features that improve the security of our customers’ build pipelines and their ability to smartly manage risk.”

"Large-scale enterprise teams can find adopting and scaling widespread best practices in software delivery across teams, departments, and geographies challenging," said Jim Mercer, Research Vice President of DevOps and DevSecOps IDC. "With these new capabilities, CircleCI provides a practical approach to managing current and future software delivery security requirements."

CircleCI’s platform additions include:

Flexible compliance with Config Policies

It can be difficult for engineering teams to manage and enforce organization-wide conventions and adherence to software delivery policy. To provide customers an additional layer of control and compliance, CircleCI utilized Open Policy Agent, an industry standard policy engine, to create Config Policies, which offers the most flexible approach to organizational governance on the market today. Through self-serve configuration as code, they simultaneously allow for flexibility and individual team empowerment while also enabling greater organizational alignment.

CircleCI’s policy enforcement allows organizations to quickly apply common rules like orb allowances, or write deeply customized rules enforcing access to credentials, resources, and functions. Customers have the ability to enforce a multitude of company policy use cases spanning from cost-control to compliance. Such use cases include:

  • Force security related jobs to run in pipelines
  • Control how contexts are or are not being used
  • Control use of docker containers and executors
  • Allow and disallow specific orbs or versions

"Development teams desire autonomy in selecting the tools that work best for them, while at the same time security and compliance teams are interested in governance of the overall estate. Both groups are crucial to successful creation of software. Helping engineering teams to standardize their processes across their projects and across different teams is imperative for effective collaboration. By releasing features like Config Policies, CircleCI is working to provide choice with guardrails and enable speed and quality across development organizations," said Rachel Stephens of RedMonk.

Server 4.1 with AirGap support

This release includes AirGap support. With this latest release, CircleCI’s server can now be installed on an isolated network and provide core functionality without access to an internet connection.

CircleCI server 4.1 is designed to meet the strictest security, compliance, and regulatory requirements. This self-hosted solution offers the ability to scale under load and run multiple services at once, all within a team's Kubernetes cluster and network with the full CircleCI cloud experience.

More granular secret enhancements

Integrations with OpenID Connect ID (OIDC) remove the need for customers to store long lived secrets (passwords, api keys, etc) in the CircleCI system. It provides a short lived token which can be used to access a system that supports OIDC and allows you to assign CircleCI as a trusted actor. OIDC support was recently enhanced to include granular control of CircleCI’s access in customer’s 3rd party tools like AWS.

Other secret enhancements include:

  • Project restricted contexts that allow an organization to limit contexts to a specific set of projects.
  • An updated Context UI that includes a “created at” and “updated” at timestamp. This allows customers to quickly assert the status of long lived secrets.
  • A script for secret finding in order to create an actionable list for secrets rotation.

About CircleCI

CircleCI is the leading continuous integration and delivery platform for software innovation at scale. With intelligent automation and delivery tools, CircleCI is used by the world's best engineering teams to radically reduce the time from idea to execution. The company has been recognized as an innovative leader in cloud-native continuous integration by independent research firms and industry awards like the DEVIES, Forbes’ Best Startup Employers of the Year, and Deloitte’s Technology Fast 500™.

Founded in 2011 and headquartered in downtown San Francisco with a global, remote workforce, CircleCI is venture-backed by Base10, Greenspring Associates, Eleven Prime, IVP, Sapphire Ventures, Top Tier Capital Partners, Baseline Ventures, Threshold Ventures, Scale Venture Partners, Owl Rock Capital, Next Equity Partners, Heavybit and Harrison Metal Capital. Learn more at


Summer Falgiano, CircleCI


Summer Falgiano, CircleCI