Skip to content
Snippets Groups Projects
Select Git revision
  • chat_identifier_parsers_claude_3_7-feature-flag
  • master default protected
  • 515946-custom-fields-finder-filters
  • andrey-pass-ruby-version-qa-trigger
  • id-create-integration-on-q-connect
  • qa-knapsack-master-report-update
  • psi-custom-field-token-issues
  • doc/Improve-server-side-backup-and-buckets
  • delete-old-feature-flags-zoekt_increased_concurrency_indexing_task_worker
  • 521392-new-generate-commit-message-prompt
  • 517411-prevent-creating-pipeline-on-workload-branch-creation
  • move-projects-app-to-shared
  • 523029-issuable-sidebar-link-design-tokens
  • sh-fix-workhorse-lint-warnings
  • 523037-rich-text-editor-design-tokens
  • 513176-move-duo-staging-setup-doc-to-common-area
  • mdangelo/support_group_level_work_items_on_current_user_work_items_query
  • 510562-incident-19034-fix-merge-requests-that-were-closed-even-if-they-were-already-merged
  • set-default-auto-stop-setting
  • 396318-empty-string-fix-matrix-job
  • v17.7.6-ee protected
  • v17.8.4-ee protected
  • v17.9.1-ee protected
  • v17.8.3-ee protected
  • v17.7.5-ee protected
  • v17.9.0-ee protected
  • v17.9.0-rc42-ee protected
  • v17.6.5-ee protected
  • v17.7.4-ee protected
  • v17.8.2-ee protected
  • v17.6.4-ee protected
  • v17.7.3-ee protected
  • v17.8.1-ee protected
  • v17.8.0-ee protected
  • v17.7.2-ee protected
  • v17.8.0-rc42-ee protected
  • v17.5.5-ee protected
  • v17.6.3-ee protected
  • v17.7.1-ee protected
  • v17.7.0-ee protected
40 results

.gitleaksignore

  • Nick Malcolm's avatar
    6100ae4f
    Add a prefix to CI Build tokens behind a feature flag · 6100ae4f
    Nick Malcolm authored 
    Prefixes CI Build tokens (a.k.a. CI_JOB_TOKEN) with `glcbt-` following
the guidance at
https://docs.gitlab.com/ee/development/secure_coding_guidelines.html#token-prefixes.

GitLab applies a prefix to some of its generated secrets. For example, a
Personal Access Token begins with `glpat-`. This MR adds a prefix to
Build Tokens. It also updates our frontend secret detection which
helps prevent users from leaking tokens via Issue / MR comments.

Build tokens belong to build jobs and are used to authenticate against
the APIs described at
https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html

Build tokens were already prefixed with a hexadecimal partition ID.
The new static prefix is placed before the existing prefix.

A feature flag is being used to reduce the risk of breaking CI pipelines
and/or third-party integrations, which might have made assumptions about
the format of GitLab's build tokens remaining static. The flag can be
enabled or disabled per namespace.

Resolves #426137

Changelog: changed
    Verified
    6100ae4f
    History
    Add a prefix to CI Build tokens behind a feature flag
    Nick Malcolm authored 
    Prefixes CI Build tokens (a.k.a. CI_JOB_TOKEN) with `glcbt-` following
the guidance at
https://docs.gitlab.com/ee/development/secure_coding_guidelines.html#token-prefixes.

GitLab applies a prefix to some of its generated secrets. For example, a
Personal Access Token begins with `glpat-`. This MR adds a prefix to
Build Tokens. It also updates our frontend secret detection which
helps prevent users from leaking tokens via Issue / MR comments.

Build tokens belong to build jobs and are used to authenticate against
the APIs described at
https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html

Build tokens were already prefixed with a hexadecimal partition ID.
The new static prefix is placed before the existing prefix.

A feature flag is being used to reduce the risk of breaking CI pipelines
and/or third-party integrations, which might have made assumptions about
the format of GitLab's build tokens remaining static. The flag can be
enabled or disabled per namespace.

Resolves #426137

Changelog: changed
Code owners
Assign users and groups as approvers for specific file changes. Learn more.