Published on: January 4, 2023
4 min read
Learn about upcoming changes to better protect GitLab users and organizations.
GitLab will soon begin automatically revoking Personal Access Tokens (PATs) when GitLab Secret Detection finds them in public repositories, an update that will better protect GitLab users and organizations.
Leaked PATs are a serious security risk – adversaries can and do search public repositories to find tokens and misuse them. However, it's easy to make a mistake and accidentally commit a token into your codebase, especially if you're committing to the main branch of your repository without reviewing security findings first.
We're rolling out this feature over time and giving additional notice so you can prepare. We know that leaked PATs may also be used in automated systems and will need to be replaced.
We've been dogfooding this feature within GitLab and with customers who volunteered to join our beta test. Now, we're glad we can expand this protection to everyone.
This feature protects projects that:
Tokens are revoked in those projects when they:
glpat-
prefix, which has been added to PATs by default since release 14.5. Because prefixed tokens are easier to identify, we recommend replacing any un-prefixed tokens with new ones that include the glpat-
prefix.Leaked tokens are processed on the same system where they're found: Tokens detected on GitLab.com stay on GitLab.com and tokens detected in Self-Managed instances stay on those instances.
Automatic PAT revocation is available for projects that use GitLab Secret Detection. Secret Detection scanning is available in all GitLab tiers, but automatic PAT revocation is currently only available in Ultimate projects.
When GitLab finds and revokes a PAT, here's what happens:
This video shows how Secret Detection finds a leaked token and how users are notified:
If your PAT is automatically revoked, that's because it was exposed publicly. You should consider it to be compromised.
You'll need to create a new one and use it in any CI/CD variables, configurations, or other places where the leaked token was used. We recommend using separate PATs for different use cases. For more recommendations, check our token security guidance.
We're rolling out this feature in phases. We currently plan to:
We don't currently plan to add a configuration option to disable this security feature. So, if you choose to disable it, please tell us why in our feedback issue so we can accommodate your use case.
We're excited to release this feature, and we'll keep iterating to continue to strengthen the level of protection GitLab Secret Detection provides.
For more information about where we're taking Secret Detection, check our public direction page.
Disclaimer: This blog contains information related to upcoming products, features, and functionality. It is important to note that the information in this blog post is for informational purposes only. Please do not rely on this information for purchasing or planning purposes. As with all projects, the items mentioned in this blog and linked pages are subject to change or delay. The development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab.
Cover image by Michael Dziedzic from Unsplash.com.