Backend: Use secret customizations, mark job log as private, todo for user
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
Occasionally, CI users may accidentally print out sensitive information in CI job logs. This might be things like AWS tokens, database passwords, GPG keys, etc.
When these tokens are printed out, there's no way of knowing about it without a manual review of the job log. This is an unlikely thing to do though because no one is expecting to accidentally print sensitive information. If this occurs and isn't caught, the job log is still in it's default state - viewable to whoever it is normally viewable to, even if the group who can view the job log isn't the same as the group who should have access to the secrets that were printed.
Proposal
Many tokens have known patterns. For example AWS access keys are all-caps alpha-numeric and start with either AKIA or ASIA. Slack user tokens start with xoxo-. PGP Private keys contain a block with the text of BEGIN PGP PRIVATE KEY BLOCK at the start. While not all key / secret types have such easy to recognize identifiers (none of the GitLab ones do to my knowledge) some do and they would be easy to detect.
Using secret customizations to select out sensitive information based on noted formats, marking the job log as private when occurrences are found and generating a todo for a user to investigate the log file and correct any displaying of sensitive secrets.