Infisical, OpenBao, Concourse: the secret store and CI panels you don't want public

There's a category of self-hosted tool whose entire job is to hold the things you'd least like a stranger to have, and then it ships with a web admin. A secrets manager is the vault for every credential your org uses. A CI server holds the deploy keys and the pipeline secrets and can push code to production. Either one, reachable on the open internet behind a weak login, is the worst kind of single point of failure: not one app's data, but the keys to all of them.

These get stood up the same careless way everything else does. A secrets manager on a public box "so the team can manage env vars," a CI server exposed "to trigger builds remotely," the admin on whatever password got typed first. The tool works, nobody notices the door is open, and the panel sits there answering anonymous requests.

vault.yoursite.com
Infisicalv
Email
Password
Infisical ยทthe credential store for your whole org
One login from every secret you have
A secrets manager's whole purpose is to centralize credentials. The admin reads them all.

Two jobs, both catastrophic when public

  • Infisical is a self-hosted secrets manager: env secrets, database credentials, and API keys for whole teams and projects, organized in one place. Reaching its admin is reaching the credential store itself. The scanner identifies it by the Infisical title plus its runtime-config asset.
  • OpenBao is a secrets store too, the community fork of HashiCorp Vault. Same threat class as the Vault UI: everything sensitive, behind one panel. The scanner anchors on the OpenBao title plus the Vault-lineage UI bundle, which keeps it distinct from a real Vault deployment.
  • Concourse CI runs your build and deploy pipelines, holds the pipeline secrets, and shows the build logs. A reachable Concourse is your deploy credentials and a view into how code ships.
  • Woodpecker CI is a self-hosted CI server forked from Drone, with the same exposure: pipelines, repository secrets, and deploy credentials, all behind the panel.
  • Node-RED is the odd one out and arguably the sharpest: it's a flow editor where the function nodes run arbitrary JavaScript. A reachable Node-RED editor isn't just data access, it's code execution on the host, by design. The scanner identifies it by its title plus the editor's mount element.

The thread is that "logged in" to a secrets manager means every credential, "logged in" to a CI server means deploy access and pipeline secrets, and "logged in" to Node-RED means a shell. None of these is a tool you want answering the public internet.

Why the blast radius is the whole org

A leaked app database is bad, but bounded: that app's data. A leaked secrets manager is unbounded, because it holds the credentials for everything else, so compromising it cascades into every service those credentials reach. A CI server is similar by a different route: it can deploy, which is arbitrary code execution against production by design, and it stores the secrets the pipeline injects. Node-RED collapses the distance entirely, the editor runs code on the host with no exploit needed. These are the panels where "one weak password" doesn't mean one breach, it means the set.

$ scan yoursite.com
probing yoursite.com from outside, no credentials...
/Infisical secrets manager reachable
/ui/OpenBao secrets store reachable
/Concourse CI reachable
/Woodpecker CI reachable
/Node-RED flow editor reachable (runs code)
5 exposures visible to anyone. None required a login.
Each confirmed by the product's own served markup, so a page that merely names the tool doesn't trip it.

Off the public internet, then locked down

A secrets manager or CI server is an operator tool. The fix isn't a better password first, it's making the panel unreachable from the open web at all, and only then hardening the login behind that.

# vault.yoursite.com answers the open internet
# the secret store (or the CI deploy keys) face everyone
Put the control surface on a VPN or internal network. Behind that, real auth, 2FA, and rotated secrets if it was ever public.

If any of these was exposed, the cleanup is heavy and unavoidable: rotate the secrets the manager held, rotate the CI pipeline credentials, and on Node-RED, assume the host was reachable for code execution and treat it accordingly. Keep them patched, too. High-value self-hosted tools attract CVEs.

Reading it from outside

Whether your secret store or CI panel answers a stranger is a question settled by loading the URL, which is what SurfaceCheckr does from outside, with no credentials. Each probe requires two of the product's own served markers, the title plus a distinctive asset or mount element, so it confirms the real panel rather than a page that mentions the tool. It reads only what's served anonymously and stops: no login, nothing run. These are the most dangerous cousins of the deploy controllers and remote-access panels in the same situation, and the secrets they guard are the same ones that, handled less carefully, leak straight into a frontend bundle.

Read next

Find it before someone else does.

Paste your domain. The grade and issue count are free, and you'll see in a couple of minutes exactly what's reachable from outside.