Logging token_type and token_ids for PAT requests to /api/graphql and for CI_JOB_TOKEN usage
Context
SIRT has identified areas where token_type/token_id is not being logged when tokens are used that would improve visibility. A similar MR has already been implemented to improve logging of PersonalAccessTokens so this would be an improvement along the same lines.
- Requests to /api/graphql do not appear to log any token_type/token_id when a token has been used.
- There does not appear to be any logging of token_type/token_id when a CI_JOB_TOKEN is used.
User Story
As a Security Operations Engineer using GitLab, during the incident response process I need to be able to understand what actions were taken with a Personal Access Token. Visibility into what actions a compromised token is critical to the initial investigation, containment, and other phases of incident response. This information may also be very important for team members doing compliance or audit work.
Acceptance Criteria
- When a request is made to
/api/graphql
endpoints with a Personal Access token, the logs should reflect thetoken_id
andtoken_type
- When a
CI_JOB_TOKEN
is used, the logs should include thetoken_id
andtoken_type
Edited by Andrew Kelly