[VWWHFSfQ]

I don't think locking down the account will do anything. It sounds like secrets were already stolen. GitHub access tokens, etc. Locking the account won't unsteal that stuff.

[__MatrixMan__]

Right. You'd need lock-down-all-AWS-controlled-by-the-foo-key because CircleCI got hacked and it had the foo-key.

Sounds like a separate product (something about breaches and blast radii) and not a CircleCI feature.

[p-e-w]

The product already exists, it's called OAuth. All you need is an additional role that you can authorize:

    CircleCI would like to:
    
    - Upload build artifacts
    - Report security incidents

Then in GitHub (or wherever), you have the aforementioned checkbox. So when CircleCI reports the incident, the GitHub account is locked down.

[namaria]

You mean hanging whole sections of our value chain on other companies' assets was not the best idea?

[p-e-w]

Of course; it's the GitHub account that would need to be locked down in this case, and yes, it should be possible to do this automatically. The problem is that even though OAuth exists (which could be used to specify such an action during authorization), many services still rely on manually copying secrets around, which means that GitHub is not necessarily aware that another service has access to it.