Detect secrets in API Security scans
Release notes
Problem to solve
As a user, I want to know if secrets are being leaked through API responses.
Proposal
We have the API Security feature category that has the ability to crawl through API endpoints on customer applications. While it does security checks, it could also look for secrets which are accidentally leaked through those interactions.
Specifically, we could use the secrets patterns provided by our secrets detection analyzer. Those patterns are currently configured via https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/blob/master/gitleaks.toml.
Intended users
- Cameron (Compliance Manager)
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Priyanka (Platform Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
- Rachel (Release Manager)
- Alex (Security Operations Engineer)
- Allison (Application Ops)
- Ingrid (Infrastructure Operator)
- Dakota (Application Development Director)