Update Secret Detection scan to find GitLab Personal Access Tokens and Project Access Tokens

Problem to solve

Our Category:Secret Detection does not currently detect our own Personal Access Tokens and Project Access Tokens. We should update secret detection jobs to find them and potentially revoke.

Proposal

Add regex for detecting GitLab Personal Access Tokens
(Potentially) auto-revoke tokens, see programmatically revoking tokens

Further Details

The format is not very unique for personal access tokens, so we must either use lookaround or we should consider a post-analyze step similar to https://gitlab.com/gitlab-org/secure/vulnerability-research/awesomesauce/-/issues/11 to verify secrets.

Documentation

Update Category:Secret Detection docs to include GitLab tokens

What is the type of buyer?

All GitLab users leveraging Secret Detection

Links / references

Edited Jul 13, 2021 by Lucas Charles