Allow custom token prefix for all token types
With feat: add token prefix (!20968 - merged), Siemens added a token prefix for PATs that was configurable at instance-level to make it easier to identify instance-specific leaks, for example for use with tools like gitleaks and GitHub's secret scanning programs (https://docs.github.com/en/developers/overview/secret-scanning-partner-program).
It would be great if we were able to prefix all tokens for self-managed instances to distinguish them from GitLab SaaS and other self-hosted instances.
Proposal
Provide a way to customize token prefixes for all tokens, so that specific instance token leaks can be identified.
For example, adding SIE- as a prefix for all kinds of tokens would distinguish the pattern from GitLab.com (this is just a proposal, some of the hardcoded prefixes don't exist atm):
| Token/secret | Hardcoded prefix only | Custom self-hosted prefix | Prefix available | Group |
|---|---|---|---|---|
| Personal access token | glpat- |
SIE-pat (pre-existing setting)
|
~"group::authentication and authorization" | |
| Pipeline trigger token | glptt- |
SIE-ptt- |
grouppipeline execution | |
| Runner registration token | GR1348941 |
SIE-GR1348941 |
grouprunner saas | |
| Runner authentication token | glrt- |
SIE-rt- |
grouprunner saas | |
| CI Job token | glci- |
SIE-ci- |
grouppipeline execution | |
| Deploy token | gldt- |
SIE-dt- |
~"group::release" | |
| OAuth token | glot- |
SIE-ot- |
~"group::authentication and authorization" | |
| OAuth app client ID | glcid- |
SIE-cid- |
~"group::authentication and authorization" | |
| OAuth app client secret | glcs- |
SIE-cs- |
~"group::authentication and authorization" |
Intended users
- Ingrid (Infrastructure Operator)
- Sam (Security Analyst)
- probably more :)
/cc @bufferoverflow
/cc @dcouture from #371396 (closed)