Auditing and Notification of Automatic response to leaked secrets for Group and Project Tokens

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem

Secret Detection includes automated responses / revocation that can mitigate the severity of a given leak.

When Group / Project Token's are revoked the Action to email / notify owner wont work since Group / Project Tokens are under Bot User (user_type: project_bot) which has a bounce back / invalid email id.

The Group / Project Token Automatic Revocation is not referenced under Audit Events / Audit Logs.

The only way to detect same is by checking Vulnerability Report for leaked Secrets.

Proposal

• To create an entry in Audit Event / Audit Logs for Group / Project Automatic Token Revocation.
• Alert Owner / Maintainers on Group / Project Token Revocation.