Automatic response to leaked secrets: Partner Integrations
After a secret is detected, GitLab supports "post-processing" hooks that can respond to the leak.
GitLab.com integrates with cloud providers to automatically send them leaked credentials. This way, they can automatically mitigate risk or make proactive contact with the owner of the credential to protect their account.
Starting in GitLab 15.9, GitLab also uses this type of post-processing to automatically revoke leaked Personal Access Tokens (https://gitlab.com/gitlab-org/gitlab/-/issues/371658).
## Want to protect your users?
Third party cloud and SaaS providers can post in this epic or contact the Product Manager for Secret Detection, @abellucci (email: `abellucci@gitlab.com`). We'll work with you to protect your users if they leak credentials on GitLab.
This epic includes individual implementation epics or issues (confidential if necessary) for each potential partner.
Vendor support requires two parts:
1. Adding or updating support in GitLab Secret Detection for vendor-provided credential patterns.
2. Connecting to the vendor/partner notification API.
## Implementation details
<details>
<summary>Click to expand diagram</summary>
```mermaid
sequenceDiagram
autonumber
Rails->>+Sidekiq: gl-secret-detection-report.json
%% The recovable key list should be fetched and cached from RevocationAPI
Sidekiq-->+Sidekiq: BuildFinishedWorker
Sidekiq-->+RevocationAPI: GET fetch/cache revocable keys types
RevocationAPI-->>-Sidekiq: OK
Sidekiq->>+RevocationAPI: POST revoke revocable keys
RevocationAPI-->>-Sidekiq: ACCEPTED
RevocationAPI-->>+Cloud Vendor: revoke revocable keys
Cloud Vendor->>+RevocationAPI: ACCEPTED
```
</details>
## Priorities for new integrations
1. https://gitlab.com/gitlab-org/gitlab/-/issues/403825+
2. https://gitlab.com/groups/gitlab-org/-/epics/8236+
3. https://gitlab.com/groups/gitlab-org/-/epics/9140+
4. https://gitlab.com/groups/gitlab-org/-/epics/8237+
epic