Add Runner Auth Token and Runner Auth Routable Token to validity checks

Craig Smithrequested to merge
craigmsmith-enable-gitlab_runner_auth_token-for-validity-checks into master

What does this MR do and why?

This MR updates the Secret Detection Validity Checks feature to also detect the status of Runner Auth Tokens and Runner Auth Routable Tokens, when detected by the Secret Detection Analyzer.

Note, while this MR includes Runner Auth Routable Tokens, these can not be tested until Add new rule for GitLab routable auth runner to... (gitlab-org/security-products/secret-detection/secret-detection-rules!97 - merged) • Craig Smith • 18.1 has been released to the Secret Detection Analyzer Runner Auth Routable Tokens where added to the Secrets Analyzer in https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/releases/v7.7.0

Database Query

This MR adds a new query to find Runners by their encrypted token value.

An example query in raw SQL, including 10 fake tokens that have been encrypted, would be:

SELECT
    "ci_runners".*
FROM
    "ci_runners"
WHERE
    "ci_runners"."token_encrypted" IN ('|OmgUm3tlvxFMtEyYNAvBA0C2vK8exrVReDHUHTmD8FhzZ9YRRaAPeUE=946babb03683', '|EHXuMv27XgGLWzikkcNnGnpn0+cJOVece0aC/4ZsIzq0X9NuNSREC/k=7f9b226fba68', '|MTaLaddA7O40R1U3yrw/Bg00tIoAtcHiA6ub14JRl97oNG0wSvXQrVw=cf4d9bd4965d', '|K2TpKeFOx9Zod+kPgUplMu1O/TF/+inPab9rwMSjvsUVWjc6xJutlUE=18d401d44231', '|QvjsfVJ3trbDnUToF/b9JDwjKlh0COSV0hlQazGDr5ioixm7i8K3bk0=7e4083664d18', '|dR+7fBylo0N1+krFzKlYKRUS6mAe3NgIFxVHgtaFKzxRrD45bD8/EHU=7d9fc99700e0', '|oFzcVU47sVtK6XgyFuSlsM9TG/mbRURPS/wFVvU3AUxOBB8wNBRo9cU=e803c9b7646d', '|4fR39ojeRLOTmlYV1+nxoyrlMO7TykgIRiOvXNbmbmBZ08CVvdm1MfE=6fc2fcc24c28', '|EpIxM+M4cRBuFnFk3IuO2dKPNkTn0a3VOVWwnVSNX+e/LYvDvuxSMsY=51b483ba2503', '|d4D9OIh76204HG2uiyZPFEEdwl4F9E9c0VwQJ9fn1rbMNqOmywWXlTw=089dff5cb0f0')

This query can include up to 100 tokens within the IN clause.

PostSQL.ai explain returns 0 rows since it's hard to get a list of Runner Tokens in production.

References

Add Secret Detection token status to all other ... (#534788 - closed) • Craig Smith • 18.2 • On track

Screenshots or screen recordings

Before After

How to set up and validate locally

  1. In rails console enable the feature flag 
    Feature.enable(:validity_checks)
  2. Create project
  3. Enable Pipeline Secret Detection by creating a .gitlab-ci.yml file and adding
  include:
  - template: Jobs/Secret-Detection.gitlab-ci.yml
  1. Create a README.md and add a test runner auth token glrt-00000000000000000000
  2. Commit and allow the pipeline to run
  3. Navigate to Secure -> Vulnerability Report
  4. Select the Runner Auth token vulnerability
  5. The vulnerability finding will show the Validity check status as Possibly active secret

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Craig Smith

Merge request reports