CircleCI Personal Access Token

Detects CircleCI personal access tokens (CCIPAT_ prefix). These tokens authenticate to the CircleCI API and can read/modify pipelines, contexts and project settings; a leak enables CI/CD compromise.

Type

regex

Engine

universal

Confidence

high

Confidence justification

High confidence: the distinctive CCIPAT_ prefix combined with the base58_hex two-segment structure makes false positives extremely unlikely.

Jurisdictions

global

Regulations

Criminal Code Act 1995 (Cth), Computer Fraud and Abuse Act, Computer Misuse Act 1990

Frameworks

CIS Controls, ISO 27001, NIST CSF, SOC 2

Data categories

credentials, security

Scope

narrow

Risk rating

8

Platform compatibility

Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported

Pattern

(?<![A-Za-z0-9_])CCIPAT_[A-Za-z0-9]{20,24}_[0-9a-f]{40}(?![A-Za-z0-9])

Corroborative evidence keywords

circleci, circle ci, personal access token, CIRCLE_TOKEN, api token, CI/CD

Proximity: 300 characters

Should match

• CCIPAT_ULUhR6rJLxYbyzyrP19iMZ_8fb1e3510325f7f09361de22b9420346c53ca2cb — CircleCI PAT, CCIPAT_ prefix + base58 + hex
• CIRCLE_TOKEN=CCIPAT_ABCDEFGHIJ1234567890ab_0123456789abcdef0123456789abcdef01234567 — Labelled CircleCI PAT in CIRCLE_TOKEN env var
• CCIPAT_zZyYxXwWvVuU0123456789_deadbeefdeadbeefdeadbeefdeadbeefdeadbeef — CircleCI PAT with hex body

Should not match

• CCIPAT_short_0123456789abcdef — Hex segment too short to be a CircleCI PAT
• CCIPRJ_ULUhR6rJLxYbyzyrP19iMZ_8fb1e3510325f7f09361de22b9420346c53ca2cb — Project token prefix (CCIPRJ_), not a personal access token
• generate a circleci personal access token in user settings — Prose mention without a token value

Known false positives

• Documentation or examples showing placeholder CCIPAT_ strings. Mitigation: Require corroborative CircleCI keywords and exclude placeholder markers.

References

• Managing CircleCI API tokens
• New format for CircleCI API access tokens