Allow custom instance token prefix for all token types
With feat: add token prefix (!20968 - merged), Siemens added a token prefix for PATs that was configurable at instance-level to make it easier to identify instance-specific leaks, for example for use with tools like gitleaks and GitHub's secret scanning programs (https://docs.github.com/en/developers/overview/secret-scanning-partner-program).
It would be great if we were able to prefix all tokens for self-managed instances to distinguish them from GitLab SaaS and other self-hosted instances.
Proposal
Provide a way to customize token prefixes for all tokens, so that specific instance token leaks can be identified.
UPDATE: As agreed in #388379 (comment 2486405365), we will introduce ability for instances to provide an instance on top of existing prefix. So glpat- becomes SIE-glpat if the instance provides an SIE instance prefix. All other GitLab instances are not affected.
For example, adding SIE- as a prefix for all kinds of tokens would distinguish the pattern from GitLab.com's pattern of gl :
| Token Type | Status Instance Prefix | MR | Team | Respective EMs, PMs and AppSec SC |
|---|---|---|---|---|
| Personal access token | groupauthentication | Already involved in this issue | ||
| Impersonation token | groupauthentication | Already involved in this issue | ||
| Project access token | groupauthentication | Already involved in this issue | ||
| Group access token | groupauthentication | Already involved in this issue | ||
| Feed token | !179852 (merged) | groupauthentication | Already involved in this issue | |
| Path dependent feed token | !192630 (merged) | groupauthentication | Already involved in this issue | |
| OAuth Application Secret | !187852 (merged) | groupauthentication | Already involved in this issue | |
| Deploy token | !186538 (merged) | groupenvironments | @nmezzopera @nagyv-gitlab @ameyadarshan Please see the discussion below for context | |
| Runner authentication token | grouprunner | @nicolewilliams @DarrenEastman @cmaxim Please see the discussion below for context | ||
| CI/CD Job token | grouppipeline security & groupauthentication | @shampton @jocelynjane @greg Please see the discussion below for context | ||
| Trigger token | !195007 (merged) | grouppipeline execution | @carolinesimpson @rutshah Please see the discussion below for context | |
| Incoming mail token | !186799 (merged) | groupauthentication | Already involved in this issue | |
| GitLab agent for Kubernetes token | !203074 (merged) | groupenvironments | @nmezzopera @nagyv-gitlab @ameyadarshan Please see the discussion below for context | |
| GitLab session cookies | #439945 (closed) | groupauthentication | Already involved in this issue | |
| SCIM Tokens | groupauthentication | Already involved in this issue | ||
| Feature Flags Client token | !187059 (merged) | groupenvironments | @nmezzopera @nagyv-gitlab @ameyadarshan Please see the discussion below for context |
Intended users
- Ingrid (Infrastructure Operator)
- Sam (Security Analyst)
- probably more :)
/cc @bufferoverflow
/cc @dcouture from #371396 (closed)