Enforce prefixing for new tokens with a rubocop
What does this MR do and why?
Create a rubocop to enforce prefixing authentication tokens
In https://docs.gitlab.com/ee/development/secure_coding_guidelines.html#token-prefixes we mandate that tokens are prefixed, so that they can be detected by secret detection if leaked. Now that many of our tokens have prefixes we should enforce this for new additions.
Proactively including a prefix increases efficiency: developers don't need to go back and add a prefix later, there's no worries about needing to rotate existing tokens later, no need for feature flagged rollout, etc.
The rubocop has been disabled for existing violations with either a wontfix comment, or a TODO with issue URL comment. The rationale for these decisions is at #439007 (comment 1740969806)
Follows the guidance at https://docs.gitlab.com/ee/development/rubocop_development_guide.html
Resolves Enforce prefixing for new tokens (#439007 - closed)
-
Create the cop & specs -
Go through existing violations, add them to https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/482+ if needed, and disable the rubocop for them
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
Related to #439007 (closed)