Blog Security How Secret Detection can proactively revoke leaked credentials
Published on: June 13, 2023
3 min read

How Secret Detection can proactively revoke leaked credentials

GitLab extends Secret Detection capabilities to customers on Google Cloud.

security-checklist.png

Modern applications don’t run on their own: They rely on databases, cloud services, APIs, and other services. To connect to those systems, the applications use credentials like private keys and API tokens. These credentials have to be kept secret – if they’re leaked, adversaries can abuse them to steal data, mine cryptocurrency, or disable important systems. Today, we’re increasing the level of protection we offer GitLab Ultimate users against this serious risk via an expansion of our partnership with Google Cloud.

How GitLab addresses this risk

GitLab Secret Detection addresses the risk of leaked secrets by detecting when keys, tokens, and other sensitive values are exposed in code and helping DevSecOps teams respond. It’s imperative to respond quickly when credentials are leaked, especially for keys to cloud provider accounts, since adversaries can do a lot of damage quickly.

With our expanded partnership, we’ve integrated GitLab Secret Detection with Google Cloud to better protect customers who use GitLab to develop applications on Google Cloud. Now, if an organization leaks a Google Cloud credential to a public project on GitLab.com, GitLab can automatically protect the organization by working with Google Cloud to protect the account. This protection is available in GitLab Ultimate.

GitLab’s investment in automated response

GitLab has added support for multiple cloud platforms with automatic response to leaked secrets, including the automatic revocation of GitLab Personal Access Tokens (PATs). We’re working on more integrations now, and are always looking for more cloud service vendors seeking similar protection to join our partner program.

We’ve also recently expanded the places automatic responses are triggered. Secret Detection users are now protected from credential leaks as soon as they appear in any public branch on GitLab.com.

Why we’re investing here

Security is better when it’s integrated throughout the software development lifecycle. GitLab’s 2023 Security Without Sacrifices report found that security is one of the top benefits of a DevSecOps platform. GitLab’s DevSecOps platform enhances secure software development by helping developers and security professionals collaborate to prevent business-critical vulnerabilities. Now, in collaboration with Google Cloud, we’re adding an additional layer of protection for our mutual customers.

Better protection for GitLab/Google Cloud customers

Google Cloud users on GitLab.com are now better protected. The new integration protects projects that:

  • are public. Private projects are unaffected by this change.
  • are hosted on GitLab.com. Projects on GitLab Dedicated or self-managed instances are unaffected.
  • use Secret Detection. If you haven't enabled Secret Detection for a project, we currently won't search it for secrets to revoke.

Secret Detection searches for three types of secrets issued by Google Cloud:

  1. Service account keys
  2. API keys
  3. OAuth client secrets

Publicly leaked secrets are sent to Google Cloud after they’re discovered. Google Cloud verifies the leaks, then works to protect customer accounts against abuse.

How the Google Cloud integration works

Our Google Cloud integration is on by default for projects that use GitLab Secret Detection on GitLab.com. Secret Detection scanning is available in all GitLab tiers, but an automatic response to leaked secrets is currently only available in Ultimate projects.

What’s next

We’re excited to improve Secret Detection with this integration, but we aren’t stopping here. Check our strategy and plans to learn more about where we’re headed.

GitLab can help secure your applications, whether they run on Google Cloud or elsewhere. Learn more about our security and governance solutions.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert