The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
Stage | Application Security Testing |
Maturity | Viable |
Content Last Reviewed | 2024-11-19 |
This direction page describes GitLab's plans for the Secret Detection category, which protects you against leaking credentials, tokens, or other secrets on GitLab. Everyone can contribute to where GitLab Secret Detection goes next, and we'd love to hear from you. The best ways to participate in the conversation are to:
gitlab-org/gitlab
issue tracker.@gitlab-bot label ~"group::secret detection" ~"Category:Secret Detection"
so your issue lands in our triage workflow.GitLab Secret Detection helps prevent a critical mistake: leaking credentials or other secrets. We want GitLab to be a safe place to develop software, so we're working to make Secret Detection a standard part of the software development lifecycle (SDLC). No one should have to think about secrets to be protected from leaking them.
We believe that the world is safer when everyone can contribute to software security. Our customers, and those they serve, are better protected when developers and security professionals can fix potential security risks earlier.
The earliest possible time to catch a security issue is when the code is first written. GitLab sees code very early in the software development lifecycle, since we store production code and also support customer workflows (like merge requests) for pre-production development. Our group is uniquely positioned to integrate static analysis everywhere as part of a comprehensive DevSecOps platform. Our unique position allows us to embed security seamlessly and support collaboration within the tools teams already use.
The Secret Detection group's business purpose is to build value for GitLab and our customers by:
Even experienced developers and teams can slip up and cause serious risk by committing secrets into their code repositories.
The potential damage is significant:
GitLab Secret Detection helps you prevent the unintentional leak of sensitive information like authentication tokens and private keys.
Secret Detection checks your Git repositories to detect secrets or credentials, then it reports potential findings. Today, Secret Detection jobs run in your CI/CD pipelines.
We want everyone to be secure, so:
In GitLab Ultimate, after you enable Secret Detection:
Secret Detection doesn't target a specific language, so you can easily enable it in any project. Our approach takes advantage of patterns for well-identifiable credentials like service account keys and API tokens, but also searches for more generic secret types like passwords in certain contexts.
Our approach emphasizes the value of the most comprehensive DevSecOps platform by:
To learn more, check the Secret Detection documentation.
Outside of the Secret Detection category, GitLab also offers other features that relate to secret values:
We're focusing on addressing the following user problems:
Solving these user problems support two primary goals:
Over the next major milestone, 17.0 - 17.11 (May 2024 - April 2025), we will be investing in the [next generation of Secret Detection](https://gitlab.com/groups/gitlab-org/-/epics/8667. This includes: - Push protection, which blocks commits from being pushed if they contain secrets. - Pipelineless post-receive scanning, which replaces the existing scanning system that runs in CI/CD pipelines after content is pushed.
Specifically, we plan to focus on:
In the next 3 months, we are planning to:
We are also looking forward by refining the system architecture for pipelineless post-receive scanning. This will share significant architectural elements with the new pre-receive secret detection feature.
We are currently working on:
In the last three months we releaseed secret push protection (SPP) to general availability. In addition we made enhancements to SPP including:
Check older release posts for our previous work in this area.
ℹ️ Best In Class (BIC) is an indicator of forecasted near-term market performance based on a combination of factors, including analyst views, market news, and feedback from the sales and product teams. It is critical that we understand where GitLab appears in the BIC landscape.
Secret Detection products should:
See our prioritized roadmap here.
In addition to those main themes, we are exploring additional detection techniques including:
There are dozens of vendors providing security detection as a standalone offering, integrated as a feature within the platforms they protect or as part of a larger solution. Here’s an overview of the top competitive tools for secret detection:
The target audience for secret detection tools includes security-focused roles like Alex, the Security Operations Engineer, and Sam, the Security Analyst. Their primary responsibility is to protect the organization from leaked secrets, which includes responding to alerts and managing incidents involving compromised credentials. Alex and Sam are instrumental in selecting, deploying, and fine-tuning tools like Secret Detection to enhance security posture.
In contrast, Sasha, the Software Developer, may unintentionally expose credentials while coding or pushing updates. Although Sasha prioritizes security, her main focus is on building and shipping features, so she values tools that are effective yet minimally disruptive. Secret detection tools need to support Sasha's workflow by providing seamless, reliable protection without adding burdensome processes or frequent false positives.
At GitLab, Secret Detection is primarily included in the Ultimate tier, though basic protection features are available across all tiers. We plan to enhance the level of protection provided in every tier, while continuing to offer distinct organization-level value in Ultimate.
Free | Premium | Ultimate | |
---|---|---|---|
Pipeline Secret Detection | ✅ | ✅ | ✅ |
Push Protection | ✅ | ||
Client-side warnings (UI) | ✅ | ✅ | ✅ |
Automatic Response to leaked secrets (public projects) | ✅ |
Analysts usually include Secret Detection as a secondary feature of Application Security Testing (AST) coverage. See Category Direction - Static Application Security Testing (SAST) for up-to-date analyst coverage.