Show where Personal, Group, and Project Access Token are used
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
Creating a Personal Access Token (or a Project Access Token, or a Group Access Token) can lead to security issues depending on how and where the token is used. During Security investigations, or just for auditing purposes, it would be very useful to know where a specific Personal Access Token is being used.
To achieve this, when a new CI/CD is set, it can be used to search for the same value in one of the generated tokens. In the GitLab code base, this can be achieved by calling PersonalAccessTokensFinder.new.find_by_token(ci_var.value). If found, a new record could be stored, linking the CI/CD variable and the token. This way, these locations would be "cached" (according we update the relationship table on update and delete of the CI/CD variables), and can be rendered easily in the UI, or provided via the API.
** Note: For GitLab.com, the visibility into token usage will need to be built on top of Enterprise Users
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.