### Proposal Use existing detection rules for GitLab tokens, and existing [post-processing and revocation functionality](https://docs.gitlab.com/ee/user/application_security/secret_detection/post_processing.html), to revoke GitLab Personal Access Tokens (and other tokens if possible) whenever they are detected. Notes: 1. Work supporting this epic started before this issue and its epic were created and has taken place in various issues. This issue is meant to track its delivery. 2. This issue concentrates on GitLab.com because existing revocation functionality is only available in GitLab.com. For Self-Managed, see https://gitlab.com/gitlab-org/gitlab/-/issues/371659. #### Status - [x] ~~Handler for revocation of `glpat-` matching tokens enabled with https://gitlab.com/gitlab-com/gl-security/engineering-and-research/automation-team/secret-revocation-service/-/merge_requests/11~~ - [x] Follow-up to gracefully handle failures for tokens missing permission scopes https://gitlab.com/gitlab-com/gl-security/engineering-and-research/automation-team/secret-revocation-service/-/merge_requests/14#note_1078334010 - [x] Add Email notification support to alert customers of revoked tokens (https://gitlab.com/gitlab-org/gitlab/-/issues/371911) - [x] Update [`TokenRevocationService`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/services/security/token_revocation_service.rb) with ~~project-level~~ user-level ~"feature flag" to trigger `::PersonalAccessTokens::RevokeService` for each revocable GitLab platform token type (currently only `gitlab_personal_access_token`) | https://gitlab.com/gitlab-org/gitlab/-/merge_requests/103713 - [x] Document the new feature (including that it is off-by-default) in https://docs.gitlab.com/ee/user/application_security/secret_detection/post_processing.html | https://gitlab.com/gitlab-org/gitlab/-/merge_requests/103713 - [x] Communicate about upcoming change. See https://gitlab.com/gitlab-org/gitlab/-/issues/371911#note_1142293889. - [x] Document the circumstances in which revocation happens, and the types of tokens affected, on the [Secret Detection post-processing and revocation documentation page](https://docs.gitlab.com/ee/user/application_security/secret_detection/post_processing.html) - [x] Publish a blog post or other customer-facing announcement to reduce potential for surprises (DRI: @connorgilbert, but contributions are welcome) - [x] Publish a release post in the milestone during which the feature is activated - [x] Alert field through #field-fyi, relevant leadership, or other mechanisms (DRI: @connorgilbert)