Secret Detection update: Leaked Personal Access Tokens will soon be revoked

Jan 4, 2023 · 4 min read
Connor Gilbert GitLab profile

GitLab will soon begin automatically revoking Personal Access Tokens (PATs) when GitLab Secret Detection finds them in public repositories, an update that will better protect GitLab users and organizations.

Leaked PATs are a serious security risk – adversaries can and do search public repositories to find tokens and misuse them. However, it's easy to make a mistake and accidentally commit a token into your codebase, especially if you're committing to the main branch of your repository without reviewing security findings first.

We're rolling out this feature over time and giving additional notice so you can prepare. We know that leaked PATs may also be used in automated systems and will need to be replaced.

We've been dogfooding this feature within GitLab and with customers who volunteered to join our beta test. Now, we're glad we can expand this protection to everyone.

When revocation happens

This feature protects projects that:

Tokens are revoked in those projects when they:

Leaked tokens are processed on the same system where they're found: Tokens detected on GitLab.com stay on GitLab.com and tokens detected in Self-Managed instances stay on those instances.

How to get protected

Automatic PAT revocation is available for projects that use GitLab Secret Detection. Secret Detection scanning is available in all GitLab tiers, but automatic PAT revocation is currently only available in Ultimate projects.

What happens when a PAT leak is discovered

When GitLab finds and revokes a PAT, here's what happens:

This video shows how Secret Detection finds a leaked token and how users are notified:

What to do if your token is revoked

If your PAT is automatically revoked, that's because it was exposed publicly. You should consider it to be compromised.

You'll need to create a new one and use it in any CI/CD variables, configurations, or other places where the leaked token was used. We recommend using separate PATs for different use cases. For more recommendations, check our token security guidance.

When changes take effect

We're rolling out this feature in phases. We currently plan to:

We don't currently plan to add a configuration option to disable this security feature. So, if you choose to disable it, please tell us why in our feedback issue so we can accommodate your use case.

What's next for Secret Detection

We're excited to release this feature, and we'll keep iterating to continue to strengthen the level of protection GitLab Secret Detection provides.

For more information about where we're taking Secret Detection, check our public direction page.

Disclaimer: This blog contains information related to upcoming products, features, and functionality. It is important to note that the information in this blog post is for informational purposes only. Please do not rely on this information for purchasing or planning purposes. As with all projects, the items mentioned in this blog and linked pages are subject to change or delay. The development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab.

Cover image by Michael Dziedzic from Unsplash.com.

“GitLab will soon automatically revoke leaked Personal Access Tokens. Learn more about what's coming up.” – Connor Gilbert

Click to tweet

Guide to the Cloud

Harness the power of the cloud with microservices, cloud-agnostic DevOps, and workflow portability.

Learn more
Open in Web IDE View source