Skip to content

Create runbook for what to do when something sensitive is pushed to a public repository

corrective action for https://gitlab.com/gitlab-com/gl-security/security-operations/sirt/operations/-/issues/1400

We should have a very clear set of steps to perform when something sensitive (password, customer name, PII data) is pushed to a public repo. This might involve doing the following with steps:

  • Making the project private
  • If data was in a merge request, deleting the merge request
  • Steps to purge the content from the project
  • Create a followup issue for password rotation if necessary