Add gitlab_oauth_app_secret to validity checks

• Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.

What does this MR do and why?

Add the gitlab_oauth_app_secret to validity checks

This MR enhances the Secret Detection Validity Checks feature so that gitlab_oauth_access_token are now assigned a status when detected by a Secret Detection scan

Changelog: added MR: !197089 EE: true

Database query

This MR adds the scope with_token_digests to OauthApplication , a wrapper around ::Doorkeeper::Application

The query this scope produces is https://console.postgres.ai/gitlab/gitlab-production-main/sessions/41782/commands/128228

References

Closes: Support gitlab_oauth_app_secret in validity checks (#553328) • Unassigned • Backlog

Screenshots or screen recordings

Before	After

How to set up and validate locally

Step 1: Create a Test Project

Create a new test project in your GDK.

Step 2: Enable Feature Flag and Validity Checks

Open the Rails console:

gdk rails console

Enable the feature flag:

Feature.enable(:validity_checks)

Find your test project and enable validity checks:

# Find your project (replace with actual project ID)
project = Project.find(your_project_id)

# Enable validity checks
project.security_setting.update(validity_checks_enabled: true)

Step 3: Get an active Oauth token

1. Navigate to Admin Area:

• Sign in to your GDK instance
• Go to Admin Area → Applications

2. Create New Application:

• Click "New Application"
• Fill out the form:
  • Name: Enter a descriptive name for your application
  • Redirect URI: http://gdk.test:3000/callback (or your preferred callback URL)
  • Scopes: Select required scopes (e.g., api, read_user, read_repository)
  • Confidential: Check this for server-side applications

3. Save and Record Credentials:

• Click "Save application"
• Copy the Secret to use later

Step 4: Configure Secret Detection

In your test project, create or update .gitlab-ci.yml:

include:
  - template: Jobs/Secret-Detection.gitlab-ci.yml

Step 5: Add Tokens to Repository

Create a README.md file in your project and add the token values you saved earlier:

# Test Project

This project contains test tokens for validity checks:

- gloas-[your-token-value]

Commit and push the changes to trigger the pipeline.

Step 6: Verify Results

1. Wait for the pipeline to complete
2. Navigate to Security & Compliance → Vulnerability Report in your project
3. Verify that the token appears in the vulnerability report
4. Expected Result: The status of each token will show as "active".

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.