Automatically revoke GitLab.com PATs discovered by Secret Detection
Proposal
Use existing detection rules for GitLab tokens, and existing post-processing and revocation functionality, to revoke GitLab Personal Access Tokens (and other tokens if possible) whenever they are detected.
Notes:
- Work supporting this epic started before this issue and its epic were created and has taken place in various issues. This issue is meant to track its delivery.
- This issue concentrates on GitLab.com because existing revocation functionality is only available in GitLab.com. For Self-Managed, see #371659 (closed).
Status
-
Handler for revocation ofglpat-
matching tokens enabled with https://gitlab.com/gitlab-com/gl-security/engineering-and-research/automation-team/secret-revocation-service/-/merge_requests/11-
Follow-up to gracefully handle failures for tokens missing permission scopes https://gitlab.com/gitlab-com/gl-security/engineering-and-research/automation-team/secret-revocation-service/-/merge_requests/14#note_1078334010
-
-
Add Email notification support to alert customers of revoked tokens (#371911 (closed)) -
Update TokenRevocationService
withproject-leveluser-level feature flag to trigger::PersonalAccessTokens::RevokeService
for each revocable GitLab platform token type (currently onlygitlab_personal_access_token
) | !103713 (merged) -
Document the new feature (including that it is off-by-default) in https://docs.gitlab.com/ee/user/application_security/secret_detection/post_processing.html | !103713 (merged) -
Communicate about upcoming change. See #371911 (comment 1142293889). -
Document the circumstances in which revocation happens, and the types of tokens affected, on the Secret Detection post-processing and revocation documentation page -
Publish a blog post or other customer-facing announcement to reduce potential for surprises (DRI: @connorgilbert, but contributions are welcome) -
Publish a release post in the milestone during which the feature is activated
-
-
Alert field through #field-fyi, relevant leadership, or other mechanisms (DRI: @connorgilbert)
Edited by Connor Gilbert