Modern applications don’t run on their own: They rely on databases, cloud services, APIs, and other services. To connect to those systems, the applications use credentials like private keys and API tokens. These credentials have to be kept secret – if they’re leaked, adversaries can abuse them to steal data, mine cryptocurrency, or disable important systems. Today, we’re increasing the level of protection we offer GitLab Ultimate users against this serious risk via an expansion of our partnership with Google Cloud.
How GitLab addresses this risk
GitLab Secret Detection addresses the risk of leaked secrets by detecting when keys, tokens, and other sensitive values are exposed in code and helping DevSecOps teams respond. It’s imperative to respond quickly when credentials are leaked, especially for keys to cloud provider accounts, since adversaries can do a lot of damage quickly.
With our expanded partnership, we’ve integrated GitLab Secret Detection with Google Cloud to better protect customers who use GitLab to develop applications on Google Cloud. Now, if an organization leaks a Google Cloud credential to a public project on GitLab.com, GitLab can automatically protect the organization by working with Google Cloud to protect the account. This protection is available in GitLab Ultimate.
GitLab’s investment in automated response
GitLab has added support for multiple cloud platforms with automatic response to leaked secrets, including the automatic revocation of GitLab Personal Access Tokens (PATs). We’re working on more integrations now, and are always looking for more cloud service vendors seeking similar protection to join our partner program.
We’ve also recently expanded the places automatic responses are triggered. Secret Detection users are now protected from credential leaks as soon as they appear in any public branch on GitLab.com.
Why we’re investing here
Security is better when it’s integrated throughout the software development lifecycle. GitLab’s 2023 Security Without Sacrifices report found that security is one of the top benefits of a DevSecOps platform. GitLab’s DevSecOps platform enhances secure software development by helping developers and security professionals collaborate to prevent business-critical vulnerabilities. Now, in collaboration with Google Cloud, we’re adding an additional layer of protection for our mutual customers.
Better protection for GitLab/Google Cloud customers
Google Cloud users on GitLab.com are now better protected. The new integration protects projects that:
- are public. Private projects are unaffected by this change.
- are hosted on GitLab.com. Projects on GitLab Dedicated or self-managed instances are unaffected.
- use Secret Detection. If you haven't enabled Secret Detection for a project, we currently won't search it for secrets to revoke.
Secret Detection searches for three types of secrets issued by Google Cloud:
- Service account keys
- API keys
- OAuth client secrets
Publicly leaked secrets are sent to Google Cloud after they’re discovered. Google Cloud verifies the leaks, then works to protect customer accounts against abuse.
How the Google Cloud integration works
Our Google Cloud integration is on by default for projects that use GitLab Secret Detection on GitLab.com. Secret Detection scanning is available in all GitLab tiers, but an automatic response to leaked secrets is currently only available in Ultimate projects.
- To protect a project, enable GitLab Secret Detection.
- To protect your entire organization, consider enforcing scan execution to run Secret Detection in all of your projects.
We’re excited to improve Secret Detection with this integration, but we aren’t stopping here. Check our strategy and plans to learn more about where we’re headed.
GitLab can help secure your applications, whether they run on Google Cloud or elsewhere. Learn more about our security and governance solutions.
“We're increasing the level of protection we offer @gitlab Ultimate users against the risk of leaked credentials via an expansion of our partnership with @googlecloud.” – Connor Gilbert
Click to tweet