How to handle secrets in API Security reports and assets

Problem

API Fuzzer reports and related assets are not sanitized to remove authentication secrets.

Unless API Fuzzer is restricted to a protected branch, these secrets are already accessible to users with push access.

Type of secrets

The secrets should be limited to accessing an application deployed into a test environment.

Proposal

Mask configured secrets

Make a best effort to mask known secrets when generating the report and related assets.

• Values in overrides
• Values in authentication variables (password)
• Keep length the of masked value the same

Pros:

• Easy to implement

Cons:

• Only prevents disclosure through report and job artifacts
  • Non-protected variables exposed
  • Certain error conditions could expose via job logs
• Cannot see authentication tokens for debugging

/cc @sethgitlab @stkerr