Add to Pipeline Security Tab and Security Dashboard
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
Occasionally, CI users may accidentally print out sensitive information in CI job logs. This might be things like AWS tokens, database passwords, GPG keys, etc.
When these tokens are printed out, there's no way of knowing about it without a manual review of the job log. This is an unlikely thing to do though because no one is expecting to accidentally print sensitive information. If this occurs and isn't caught, the job log is still in it's default state - viewable to whoever it is normally viewable to, even if the group who can view the job log isn't the same as the group who should have access to the secrets that were printed.
Proposal
Many tokens have known patterns. For example AWS access keys are all-caps alpha-numeric and start with either AKIA or ASIA. Slack user tokens start with xoxo-. PGP Private keys contain a block with the text of BEGIN PGP PRIVATE KEY BLOCK at the start. While not all key / secret types have such easy to recognize identifiers (none of the GitLab ones do to my knowledge) some do and they would be easy to detect.
Through implementing of a pipeline security tab and security dashboard, it will provide users insight into where vulnerabilities exist and being able to take action on the correction of these secrets being shown in logs to ensure maximum security in their projects.