Our Category:Secret Detection does not currently detect our own Personal Access Tokens and Project Access Tokens. We should update secret detection jobs to find them and potentially revoke.
Proposal
Add regex for detecting GitLab Personal Access Tokens
@theoretick I'd like to ask about a Zendesk ticket (internal link) where the user (Starter plan) is describing that under 13.4.3, everytime they restart their instance, their personal access tokens no longer work and they have to re-generate them. Is this related to the issue in the description?
@rhassanein no, that would not be related, unfortunately. We do not currently handle personal access tokens at all with our security scanning. This is a proposal to consider doing so, but it's not yet implemented.
Lucas Charleschanged title from Update Secret Detection scan to find GitLab Access Tokens to Update Secret Detection scan to find GitLab Personal Access Tokens
changed title from Update Secret Detection scan to find GitLab Access Tokens to Update Secret Detection scan to find GitLab Personal Access Tokens
We are very aware of what GitHub does in this area. We share many of the same goals but with a different implementation as Secret Detection is currently in the CI/CD pipeline. See some of our work in &4639 (closed)
Thank you, @tmccaslin! Very cool. I'm glad this is being included in the default ruleset. Awesome work. I'm a bit confused by the "type of buyer" designation in the description, which seems to indicate Ultimate only.
Lucas Charleschanged title from Update Secret Detection scan to find GitLab Personal Access Tokens to Update Secret Detection scan to find GitLab Personal Access Tokens and Project Access Tokens
changed title from Update Secret Detection scan to find GitLab Personal Access Tokens to Update Secret Detection scan to find GitLab Personal Access Tokens and Project Access Tokens
Lucas Charleschanged the descriptionCompare with previous version
Note that Project Access Tokens are derived from Personal ATs as well so the instance-level prefix applies globally. That means we can detect both token types now using the same prefix 🎉
#335991 (closed) has been completed and gitlab.com now issues tokens with the proper prefix 🎉 only remaining work will be setting the default for self-managed #342327 (closed)