Request for Security Tool to Dump Variable Names
What is the GitLab engineering productivity problem to solve?
Administrators need a tool to help manage secrets in GitLab.
That list can include Group and Project Access tokens, Project Access tokens, Deploy tokens, Group and Project Variables and probably more values. These can be retrieved through the API with proper credentials.
What are the potential solutions?
In the event of a breach where GitLab customers would need to rotate all secrets, finding the secrets and their locations would be very manual and error prone especially in a stressful situation. This is a request for a tool that would reveal all secret names and locations (names ONLY, not values). Given the recent breach that happened at CircleCI, they provided this tool here. Could someone at GitLab port this tool or create one specifically for GitLab?
This solution would help promote good security hygiene by making it practical to stay on top of secrets stored in GitLab.
Implementation Guide
Circle CI did this by making a docker image available that can be used to retrieve various secrets and keys that may be stored for a project. A similar approach could be taken here.