UX Research: Understand secrets leaked outside of code

What did we learn?

Results

Users want an indicator on the pipeline and job views when there is a leaked secret detected in a job artifact. Users want to to know the precise location of the leaked secret from a job artifact. Users need the ability to quickly identify the root cause to prevent additional leaked secrets from job artifacts in the future. Leaked secrets to job artifacts should be masked and/or have restricted access. Revoking the secrets should be quick. Blocking a pipeline should be configurable.

Important Links

• Recruitment issue
• Screener
• Research Plan & Script
• User Interview Deck
• [Working Document] Leaked Secrets - Session Notes & Analysis
• Dovetail project

---

Problem

Expanding secret detection capabilities beyond code has created uncertainty around user workflows and resolution processes. Detecting secrets across the GitLab platform will increase security for everyone, however, we lack clarity on whether these findings should be classified as vulnerabilities and how different teams will remediate non-code based leaked secrets.

Goal

What is the ideal user experience for secret detection for leaked secrets outside of the code base?

What's Next?

This research will inform how we expand to detecting secrets throughout the GitLab Platform. We have a FYQ2 deliverable of Secret Detection for CI/CD Jobs Artifacts as an experiment for Q2 with general availability scheduled for Q3.

In the future we also plan on expanding to other CI/CD features, i.e. pipeline job logs and .gitlab-ci.yml. A full list of coverage for all objects/components can be found here.

Intended Impact Type

Impact on Decisions - this work will inform the product design and requirements for the epic Secret Detection is a consistent, platform-wide, on-by-default experience for users.

🌟 Click to see impact type selections

Impact on Decisions	Impact on Knowledge	Impact on UXR maturity
Changes in strategy/plan Changes in product/design	Knowledge gaps identified/filled User's perception of our product captured Next big opportunity identified	Improvement on UXR process efficiency Improvement on UXR quality & reliability

Timeline

This research will be completed by the end of %17.10 at the latest.

Research Question(s)

1. What is the ideal user experience for secret detection for leaked secrets outside of the code base?
2. Which of the following approaches are the best fit for user needs when a secret is detected: Stop the artifact from being generated if there is a secret OR Let a user know if a secret is detected in an artifact?
3. Where and how should these findings be surfaced to users?
4. How should users be notified of detected secrets?

For CI/CD features specifically:

• Do artifacts containing detected secrets need to be quarantined?
   
• What happens when artifacts are used to pass data between jobs?
      
• What file formats and types need to be scanned?
• Should a detected secret block the pipeline?

Hypotheses

For CI/CD features (job logs and artifacts) there are two paths we could take;

1. Stop the artifact from being generated if there is a secret.
2. Let a user know if a secret is detected in an artifact.

Target User Group

1. Sasha, Software Developer will prevent these leaks from happening.
2. Amy, Application Security Engineer will triage and revoke these leaks.

Relevant Works

• Defend Against ArtiPACKED with StepSecurity: New Feature to Detect Leaked Secrets in GitHub Action Workflow Artifacts
• Scan GitHub Actions Build Logs for Secrets with StepSecurity’s New Feature
• GitHub Actions Artifacts Leak Tokens and Expose Cloud Services and Repositories

Who will be leading the research, and who will be supporting?

• Research DRI: @abellucci
• Supporting Researcher: @amarpatel, @beckalippert