Security implications¶

The lack of a shared secret for manually created integrations together with a legacy feature that automatically created integrations in certain circumstances, could have allowed unauthorized users to create integrations without a shared secret. Allowing the attacker to trigger builds, create and delete previews from pull requests (if you had this feature enabled), and update the identifier of the latest version (if you had your default branch set to empty in your project’s settings).

We published a security advisory with more details about this issue.

Action required¶

If you manually created a webhook integration for GitHub, GitLab or Bitbucket, you may be affected by this issue.

We have updated some of the webhooks automatically for users that have an account connected to a Git provider, for integrations that we weren’t able to update automatically, we have contacted the owners of each project. To check if you have integrations without a secret, and to update them to include one, follow these steps:

• Go to your project’s settings page.

• Click on the “Integrations” tab.

• Click on each integration, if the integration doesn’t have a secret, you’ll see a warning message.

• If you see the warning message, click on the “Resync webhook” button to generate a new secret.

• Follow the steps from our documentation to update your provider’s webhook with the new secret.

Deprecation of integrations without a secret¶

In order to keep the builds of your projects working, webhooks from integrations without a secret will continue working, but with a limited functionality, they will only be able to trigger builds.

We strongly advise all users to update their integrations to include a secret as soon as possible. Integrations without a secret are deprecated, and support for them will be removed on January 31st, 2024.