<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=439294) </details> <!--IssueSummary end--> A `static_object_token` is generated in `User`. As defense in depth we should add a static prefix to these, to enable easier detection if an admin / user accidentally leaks the secrets. This is not a vulnerability. ``` app/models/user.rb:78:3: C: Gitlab/TokenWithoutPrefix: Tokens should be prefixed. See doc/development/secure_coding_guidelines.md#token-prefixes for more information. add_authentication_token_field :static_object_token, encrypted: :optional ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ``` Relevant: - https://gitlab.com/gitlab-com/gl-security/product-security/appsec/appsec-team/-/issues/482 - https://gitlab.com/gitlab-org/gitlab/-/issues/439007+ - https://docs.gitlab.com/ee/administration/static_objects_external_storage.html (docs owned by ~"group::ide" ) - https://docs.gitlab.com/security/tokens/#token-prefixes