Trello is an awesome producitvity tool that is especially great for real-time and asynchronous collaboration. Trello boards can be set to Public and are then available on the Internet.
A while back, I wrote a Python utility called trello-public-board-lister that used the Trello API to return a list of all of the Public boards owned by a Trello user that I specified. I picked it back up recently and extended the functionality:
- Automated the process via GitLab CI
- Published sample
urlwatchconfigs for monitoring changes
Consider Kushagra Pathak's work on: How I used a simple Google query to mine passwords from dozens of public Trello boards. It ultimately led to this write-up in The Intercept: United Nations accidentally exposed passwords and sensitive information to the whole Internet.
- It's trivially easy to find public Trello boards. It's easy for your team and it's easy for the adversary.
- Trello has increasingly turned toward addressing the enterprise use case.
Be aware of your Trello board footprint before it becomes a problem.
If you are using Trello in your organization, you may wish to have some process that regularly checks to see what public boards are present in your environment and lets you make sure this list only contains the boards that you expect. This post describes an approach to solving this problem and some code you can borrow, modify and implement.
Before you run
trello-public-board-lister, you need to have a list of Trello usernames and a Trello API key and token.
Provide a list of usernames
Put the list of usernames you want to monitor in a file, one-per-line.
Get Trello API key and token
Log in to Trello and then browse to https://trello.com/app-key.
- Record the Key that is shown securely
- Click Token, follow the dialogs and record the Token that is shown securely
trello-public-board-lister manually to make sure everything works as you expect and then automate the process with a CI pipeline. You'll want to run all of these commands in the same terminal session.
git clone email@example.com:brie/trello-public-board-lister.git
I recommend using a Python virtual environment. Instructions on setting up a virtual environment don't belong in this blog post but Corey Schafer has fantastic Python videos on Python.
Change into the cloned directory, create a new virtual environment, activate it and install the required Python packages for
cd trello-public-board-lister python3 -m venv v source v/bin/activate pip install -r requirements.txt
Make the Trello API key and token available
You have two options:
- environment variables
- command line arguments
I recommend using environment variables.
export TRELLO_API_KEY=yourtrelloapikey export TRELLO_API_TOKEN=yourtrelloapitoken
Everything should be all ready. Copy your list of Trello usernames into this directory. Run:
python3 trello-public-board-lister.py --usernames trello-usernames.txt
You should see output like this:
For each username provided, you will have a
.boards file containing a JSON object that includes the URL for each public Trello board for that user. You can use
jq to count the URLs in each file:
$ jq '. | length' taco.boards 8
If everything is looking OK, you can move on to automating and scheduling. Feel free to fork trello-public-board-lister and patch it to work to better meet your needs.
Automate the process with a CI pipeline
Create a project in your GitLab instance for this purpose.
Add Trello API key and token as masked variables in GitLab
We are going to continue using environment variables to tell
trello-public-board-lister.py about our Trello API key and token. When running this program in a GitLab pipeline, we do this by defining masked custom environment variables. For both
- Hover over Settings and then click CI / CD
- Expand Variables
- Click Add Variable
The Key should be:
For the Value, copy in your Trello API key
Uncheck Protect variable
Make super sure that you click Mask variable
When that's all done: click Add variable
It should look something like this:
The environment variables are all set!
Build a pipeline
I have a sample
.gitlab-ci.yml file that you can modify and use to run this pipeline via GitLab:
- .gitlab-ci.yml from
Schedule the pipeline
You can configure a pipeline schedule so that everything runs and checks for public Trello boards at the frequency that is right for you.
Check for changes
Once you have an initial list of boards that are public, you may wish to check for changes in that list. I use
urlwatch, a tool that monitors webpages for you for this purpose.
- add a job to check for changes in list of boards
- Send changes by email via built-in Mailgun reporter
If you played along, you now have a process that checks for public Trello boards from a list of users that you care about. This process runs periodically and alerts you to changes in the list of public Trello boards.