Create a SAST analyzer to detect secrets in repositories

Problem to solve

Users may unintentionally commit sensitive information to their repositories. This can include passwords, credentials for cloud providers, or SSH private keys.

If repositories are publicly accessible, or even if they are private but shared within many users, the secrets can be leaked to people that should not have access to those credentials.

Once on the repo, it is too late to block someone to find them. Git commits cannot be deleted. But GitLab can notify users that secrets have been compromised, so at least they can revoke/change/suspend the leaked credentials and mitigate the impact.

Target audience

• Delaney, Development Team Lead, https://design.gitlab.com/research/personas#persona-delaney
• Sasha, Software Developer, https://design.gitlab.com/research/personas#persona-sasha
• Devon, DevOps Engineer, https://design.gitlab.com/research/personas#persona-devon
• Sidney, Systems Administrator, https://design.gitlab.com/research/personas#persona-sidney
• Sam, Security Analyst, https://design.gitlab.com/research/personas#persona-sam

Proposal

Create a new analyzer for the SAST tool to provide secret detection.

This analyzer will be executed every time, to it reports true to compatibility checks with the repository. As part of SAST, it will be part of the sast job definition, and Auto DevOps pipelines.

The vulnerability text should be clear enough to help users in fixing the problem.

The tool should provide scanning for the last version of the repo (or last commit) to save time on big repos.

We can evaluate different existing open source tools:

• https://github.com/zricethezav/gitleaks
• https://github.com/dxa4481/truffleHog
• https://github.com/awslabs/git-secrets/blob/master/README.rst
• https://github.com/michenriksen/gitrob/
• https://github.com/DiabloHorn/yara4pentesters
• https://github.com/UKHomeOffice/repo-security-scanner
• https://github.com/auth0/repo-supervisor

Tasks

• Evaluate the tool
• Implement the new analyzer
• Update test projects to use the new analyzer (https://gitlab.com/gitlab-org/security-products/tests)
• Update QA (https://gitlab.com/gitlab-org/security-products/tests/common#security-products-test-projects)
• Update Docs
  • https://docs.gitlab.com/ee/user/project/merge_requests/sast.html
  • https://gitlab.com/gitlab-org/security-products/sast/blob/master/docs/analyzers.md

What is the type of buyer?

Executive