Post-processing of leaked secrets
As a customer, I want to some actions to kick off automatically when a leaked secret is detected. We don't have this capability today, nor do we have a standardized mechanism in which workflows could be kicked off. The main thrust of this work will be to build this mechanism and hook secret detection into it. While the initial effort will be focused upon ~"Category:Secret Detection", we should anticipate that whatever we build may be extended to support actions off of all ~"devops::secure" feature categories. This work has been explored in a [technical discovery issue](https://gitlab.com/gitlab-org/gitlab/-/issues/254815), which explores multiple options. #### Sequence diagram ```mermaid sequenceDiagram autonumber Rails->>+Sidekiq: gl-secret-detection-report.json %% The recovable key list should be fetched and cached from RevocationAPI Sidekiq-->+Sidekiq: BuildFinishedWorker Sidekiq-->+RevocationAPI: GET fetch/cache revocable keys types RevocationAPI-->>-Sidekiq: OK Sidekiq->>+RevocationAPI: POST revoke revocable keys RevocationAPI-->>-Sidekiq: ACCEPTED RevocationAPI-->>+Cloud Vendor: revoke revocable keys Cloud Vendor-->>+RevocationAPI: ACCEPTED ``` ### Release notes Possible release post content here: https://gitlab.com/gitlab-com/www-gitlab-com/-/merge_requests/67952
epic