18.3 Planning Issue - Secret Detection

🔒 Secure, Secret Detection - Milestone Planning

This is a planning issue for Category:Secret Detection which is maintained by groupsecret detection.

^See^{the group handbook page}^{for more about this issue and how it fits into group workflows.}

Milestone Key Dates

Start Date: 2025-06-14
Code Freeze: 2025-07-11
Release Date: 2025-07-17

Narrative

Enable Secret Push Protection on all Public Projects

In %18.3 we will start rolling out Roll out dark launch of SPP for public projects (#551761) and observe the number of pushes blocked in a project, group, and namespace during the dark launch phase.

Epic

---
display: table
fields: title, healthStatus, labels("type::feature", "type::maintenance", "type::bug", "type::ignore") as "Type", assignees, labels("workflow::*") as "Workflow", labels("Deliverable", "Spike", "Stretch") as "Other info", state 
---
label = "group::secret detection" and project = "gitlab-org/gitlab" and epic = &17502 and milestone = "18.3" and label != "workflow::planning breakdown" AND label != "workflow::refinement" AND label != "workflow::problem validation" AND label != "workflow::design" AND assignee!="abellucci" AND assignee != "phillipwells"

Validity Checks for Secret Detection

We'll begin working on the FE work for the refresh button. We want to have development efforts code complete in %18.3 for Beta. We'll continue GA work which includes settings up the SDRS authentication flows as well as beginning FE work on the filtering capabilities.

Epic

---
display: table
fields: title, healthStatus, labels("type::feature", "type::maintenance", "type::bug", "type::ignore") as "Type", assignees, labels("workflow::*") as "Workflow", labels("Deliverable", "Spike", "Stretch") as "Other info", state
---
label = "group::secret detection" and project = "gitlab-org/gitlab" and epic = &13988 and milestone = "18.3" and label != "workflow::planning breakdown" AND label != "workflow::refinement" AND label != "workflow::problem validation" AND label != "workflow::design" AND assignee!="abellucci" AND assignee != "phillipwells"

Enable SPP for all GitLab-owned projects

In %18.3 we will enable SPP for high traffic projects. At the end of the milestone secret push protection will be enabled for all GitLab owned projects!

Epic

---
display: table
fields: title, healthStatus, labels("type::feature", "type::maintenance", "type::bug", "type::ignore") as "Type", assignees, labels("workflow::*") as "Workflow", labels("Deliverable", "Spike", "Stretch") as "Other info", state
---
label = "group::secret detection" and project = "gitlab-org/gitlab" and epic = &16361 and milestone = "18.3" and label != "workflow::planning breakdown" AND label != "workflow::refinement" AND label != "workflow::problem validation" AND label != "workflow::design" AND assignee!="abellucci" AND assignee != "phillipwells"

Refactor and clean up Secret Push Protection logic

In %18.3 we plan to wrap up any remaining work related to this initiative. We had identified a new RPC improvement that could be made in order to increase performance and address some timeout issues that are being seen when a large number of diffs are being collected to be scanned.

Epic

---
display: table
fields: title, healthStatus, labels("type::feature", "type::maintenance", "type::bug", "type::ignore") as "Type", assignees, labels("workflow::*") as "Workflow", labels("Deliverable", "Spike", "Stretch") as "Other info", state
---
label = "group::secret detection" and project = "gitlab-org/gitlab" and epic = &16376 and milestone = "18.3" and label != "workflow::planning breakdown" AND label != "workflow::refinement" AND label != "workflow::problem validation" AND label != "workflow::design" AND assignee!="abellucci" AND assignee != "phillipwells"

Generic secret detection

In %18.3 we need to do some discovery work to validate our approach to adding support for generic secret detection.

Epic

---
display: table
fields: title, healthStatus, labels("type::feature", "type::maintenance", "type::bug", "type::ignore") as "Type", assignees, labels("workflow::*") as "Workflow", labels("Deliverable", "Spike", "Stretch") as "Other info", state
---
label = "group::secret detection" and project = "gitlab-org/gitlab" and epic = &17503 and milestone = "18.3" and label != "workflow::planning breakdown" AND label != "workflow::refinement" AND label != "workflow::problem validation" AND label != "workflow::design" AND assignee!="abellucci" AND assignee != "phillipwells"

Transition Secret Revocation Service to AST::SD

We've finished [...]

Epic

---
display: table
fields: title, healthStatus, labels("type::feature", "type::maintenance", "type::bug", "type::ignore") as "Type", assignees, labels("workflow::*") as "Workflow", labels("Deliverable", "Spike", "Stretch") as "Other info", state
---
label = "group::secret detection" and project = "gitlab-org/gitlab" and epic = &18159 and milestone = "18.3" and label != "workflow::planning breakdown" AND label != "workflow::refinement" AND label != "workflow::problem validation" AND label != "workflow::design" AND assignee!="abellucci" AND assignee != "phillipwells"

Unified Secret Detection scan engine

We finished Phase 1 in %18.3. We'll build out the CLI and get this reviewed in %18.3

Epic

---
display: table
fields: title, healthStatus, labels("type::feature", "type::maintenance", "type::bug", "type::ignore") as "Type", assignees, labels("workflow::*") as "Workflow", labels("Deliverable", "Spike", "Stretch") as "Other info", state
---
label = "group::secret detection" and project = "gitlab-org/gitlab" and epic = &17911 and milestone = "18.3" and label != "workflow::planning breakdown" AND label != "workflow::refinement" AND label != "workflow::problem validation" AND label != "workflow::design" AND assignee!="abellucci" AND assignee != "phillipwells"

Secret Detection Rule Development

Audit existing capabilities against our Phase 1 plan. Then begin implementing rule checks as CI jobs.

Epic

---
display: table
fields: title, healthStatus, labels("type::feature", "type::maintenance", "type::bug", "type::ignore") as "Type", assignees, labels("workflow::*") as "Workflow", labels("Deliverable", "Spike", "Stretch") as "Other info", state
---
label = "group::secret detection" and project = "gitlab-org/gitlab" and epic = &16616 and milestone = "18.3" and label != "workflow::planning breakdown" AND label != "workflow::refinement" AND label != "workflow::problem validation" AND label != "workflow::design" AND assignee!="abellucci" AND assignee != "phillipwells"

❓ Unplanned work

🐛 Bugs

---
display: table
fields: title, assignee, milestone, labels("priority::*"), labels("severity::*"), labels("workflow::*"), labels("Deliverable"), state, milestone
---
label = "group::secret detection" AND label = "type::bug" AND milestone = "18.3" AND assignee!="abellucci" AND assignee != "phillipwells" AND label != "workflow::planning breakdown" AND label != "workflow::refinement" AND label != "workflow::problem validation" AND project = "gitlab-org/gitlab"

🚧 Maintenance

---
display: table
fields: title, assignee, labels("workflow::*"), labels("Deliverable"), state, milestone
---
label = "group::secret detection" AND label = "type::maintenance" AND milestone = "18.3" AND assignee!="abellucci" AND assignee != "phillipwells" AND label != "workflow::planning breakdown" AND label != "workflow::refinement" AND label != "workflow::problem validation"

Looking forward

This section lists items that are in earlier stages of planning. Refining them is an important part of this milestone because it sets us up to work on them in the following milestones. Primary areas of responsibility are listed, but everyone can contribute!

This is almost certainly more than we can take on. Items that are marked as Deliverable are expected to be workflowready for development by the end of the milestone.

---
display: table
fields: title, assignee, labels("workflow::*"), labels("type::*"), labels("Deliverable"), state, milestone
---
label = "group::secret detection"  AND label in ("workflow::planning breakdown","workflow::refinement","workflow::problem validation") AND milestone = "18.3" AND assignee!="abellucci"

Please suggest others or add them directly.

Product

This section includes other Product and UX context that may not fit into the Looking forward section above.

Product Manager: @abellucci

---
display: table
fields: title, assignee, state, milestone
---
label = "group::secret detection" AND label != "Planning Issue" AND milestone = "18.3" AND assignee = "abellucci"

UX

---
display: table
fields: title, assignee, state, milestone
---
label = "group::secret detection" AND label != "Planning Issue" AND milestone = "18.3" AND label = "workflow::design"

Documentation

This section includes group inputs and the plan for Technical Writing in the milestone.

Technical Writing stable counterpart: @phillipwells

---
display: table
fields: title, assignee, state, milestone
---
label = "group::secret detection" AND milestone = "18.3" AND assignee = "phillipwells"

Edited Aug 29, 2025 by 🤖 GitLab Bot 🤖