Verify validity of secret detection findings
### What is a validity/verification check? Verify validity/liveness of Secret Detection findings by checking them against the issuing service. During remediation, this answers the question "Is the credential still active?" ### Problem to solve When secret scanning reveals exposed credentials such as passwords or API keys, the security team's immediate priority is to assess the token's status and permissions. This evaluation helps determine both if the credential remains active and what systems or data it could potentially access. Today, we leave it to users to triage the findings and identify whether the finding is valid or not. This can add up to a lot of work identifying fake or canned credentials. When we do a historical scan, we might even end up notifying users of credentials that had already been discovered and revoked long ago (assuming they hadn't already addressed the finding within the security dashboard). The validity status enables teams to make risk-based prioritization decisions. ### Proposal We will automate the verification process for tokens discovered during security scans. This feature will: - Verify token status (Active, Inactive, Possibly Active) and display results - Enable filtering by token status - Support GitLab and partner platform tokens - Work for all platform - Include telemetry to measure usage and effectiveness Customers can opt in. Once enabled, discovered tokens will be automatically verified against issuing services. ### Implementation - https://gitlab.com/groups/gitlab-org/-/epics/16589+ - https://gitlab.com/groups/gitlab-org/-/epics/16927+ - https://gitlab.com/groups/gitlab-org/-/epics/16890+
epic