[GA] Validity Checks
**Summary: Customers will be able to automatically verify the validity status of partner tokens detected in their codebase.** ## Proposal Validity Checks will expand to support partner platform tokens through direct API integration. The initial partners we will support are: - Amazon Web Services (AWS) IAM access keys (using STS GetCallerIdentity) - Google Cloud Platform (GCP) OAuth tokens (using OAuth2 tokeninfo) - Postman API tokens (using /me endpoint) _Additional partners can be added post-GA by implementing new client classes following the established pattern._ In addition to the aforementioned partners, we will be adding filtering by token status, see https://gitlab.com/groups/gitlab-org/-/epics/17407. Users will have the ability to filter by token status on the Vulnerability Report; [designs](https://gitlab.com/gitlab-org/gitlab/-/issues/479341/designs/Validity_check_filter.png). _Note: as of August 1st, 2025, this will only be available for .com._ ## Pattern Integration Technical Design ### Overview We're implementing direct partner API calls from the GitLab monolith using Sidekiq workers with explicit rate limiting. ### UX Flow 1. MR has been reviewed and merged 2. Secret detection job executes on the default branch 3. Detected secrets appear in Security Dashboard with "Checking..." status 4. Status updates to "Active", "Inactive", or "Unknown" after verification 5. Security team can filter/sort findings by token status ### Internal Flow 1. Secret Detection Analyzer runs and generates `gl-secret-detection-report.json` 2. Report ingestion triggers `UpdateTokenStatusWorker` 3. Worker delegates to `UpdateTokenStatusService` for token processing 4. Service identifies token type from finding metadata 5. For GitLab tokens: Uses existing `TokenLookupService` 6. For partner tokens: Queues `PartnerTokenVerificationWorker` 7. Worker checks `ApplicationRateLimiter` for rate limit compliance 8. If under limit: Makes direct API call to partner 9. If rate limited: Reschedules with `perform_in` (no exception) 10. Processes response and saves `FindingTokenStatus` to database ```mermaid sequenceDiagram box "Runner" participant SDA as Secret Detection Analyzer end box "GitLab Monolith" participant RW as Report Ingestion participant UTSW as UpdateTokenStatusWorker participant UTSS as UpdateTokenStatusService participant TLS as TokenLookupService participant PVW as PartnerTokenVerificationWorker participant RL as ApplicationRateLimiter participant PC as Partner Client participant DB as Database end box "External APIs" participant AWS as AWS STS API participant GCP as GCP OAuth2 API participant PM as Postman API end SDA->>RW: Submit gl-secret-detection-report.json RW->>UTSW: Trigger token status check UTSW->>UTSS: Process findings alt GitLab Token UTSS->>TLS: Query GitLab token TLS-->>UTSS: Return status UTSS->>DB: Save FindingTokenStatus else Partner Token UTSS->>PVW: Queue verification (finding_id, token_type) PVW->>RL: Check rate limit alt Rate Limited RL-->>PVW: Throttled PVW->>PVW: perform_in(delay) else Under Limit RL-->>PVW: Proceed PVW->>PC: Create client for token_type alt AWS Token PC->>AWS: POST /GetCallerIdentity AWS-->>PC: XML response else GCP Token PC->>GCP: GET /tokeninfo?access_token= GCP-->>PC: JSON response else Postman Token PC->>PM: GET /me (X-API-Key header) PM-->>PC: JSON response end PC-->>PVW: TokenStatus(valid, metadata) PVW->>DB: Save FindingTokenStatus end end ``` --- # Interlock Details ##### Executive Summary Customers will be able to automatically verify the validity status of partner tokens detected in their codebase through direct API integration with AWS, GCP, and Postman. #### Dependencies - Team dependencies: \~"group::application security" (review only) - Infrastructure: None (uses existing Redis/Sidekiq) - External: Partner API availability #### DRIs - **PM**: @abellucci - **EM**: @amarpatel - **ENGINEER**: @atiwari71 - **UX/PDM**: @beckalippert - **Group(s)**: ~"group::secret detection" - **Engineering Owner**: @twoodham
epic