Identify stale deploy keys

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Release notes

Problem to solve

As a security operator, I want to find and revoke unused deploy keys to minimize potential attack surface without disrupting the business.

Proposal

1. Enhance the list deploy keys API with a last_used property
2. Enhance the Deploy keys admin UI to allow filtering by last_used (since or before)

Existing workaround

We document the following rails command:

ghost_user_id = Users::Internal.ghost.id

DeployKeysProject.with_write_access.find_each do |deploy_key_mapping|
  project = deploy_key_mapping.project
  deploy_key = deploy_key_mapping.deploy_key
  user = deploy_key.user

  access_checker = Gitlab::DeployKeyAccess.new(deploy_key, container: project)

  # can_push_for_ref? tests if deploy_key can push to default branch, which is likely to be protected
  can_push = access_checker.can_do_action?(:push_code)
  can_push_to_default = access_checker.can_push_for_ref?(project.repository.root_ref)

  next if access_checker.allowed? && can_push && can_push_to_default

  if user.nil? || user.id == ghost_user_id
    username = 'none'
    state = '-'
  else
    username = user.username
    user_state = user.state
  end

  puts "Deploy key: #{deploy_key.id}, Project: #{project.full_path}, Can push?: " + (can_push ? 'YES' : 'NO') +
       ", Can push to default branch #{project.repository.root_ref}?: " + (can_push_to_default ? 'YES' : 'NO') +
       ", User: #{username}, User state: #{user_state}"
end

Intended users

• Sidney (Systems Administrator)
• Alex (Security Operations Engineer)
• Cameron (Compliance Manager)

Feature Usage Metrics

• MAU of requests to the API endpoint / UI filter
• number of deploy keys revoked / month

Does this feature require an audit event?

No