Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Category Vision - Secret Detection

Description

Overview

Secret Detection aims to prevent that sensitive information, like passwords, authentication tokens, and private keys are unintentionally leaked as part of the repository content.

It checks files and configuration to detect well-known variable names and files, and reports if there is something that is potentially risky to share.

It doesn't target a specific language, but the ruleset can be applied to any project.

Goal

Our goal is to provide Secret Detection as part of the standard development process. This means that Secret Detection is executed every time a new commit is pushed to a branch. We also want to include Secret Detection as part of Auto DevOps.

Secret Detection results can be consumed in the merge request, where only new vulnerabilities, introduced by the new code, are shown.

There is also a high request to block a remote push if it contains secrets. This is not a simple problem to address, because it implies solving the following problems:

  1. the detection should complete in a reasonable time (it is a synchronous operation)
  2. false positives may block legitimate commits with no way to bypass that

What's Next & Why

We want to leverage existing open source tools to provide a first MVC for Secret Detection.

The next MVC is to perform secret detection on full history of the repository: https://gitlab.com/gitlab-org/gitlab-ee/issues/9508

Maturity Plan

Competitive Landscape

GitHub offers Token Scanning that aims to detect secrets in public repositories. The approach is quite different, as the scan is performed asynchronously and users are not notified, but service providers are.

Analyst Landscape

Secret detection is not actually part of any Analyst report. Anyway, since we consider it related to SAST, we can raise awareness in that specific context.

Full list

Top Customer Success/Sales Issue(s)

Full list

Top user issue(s)

Full list

Top internal customer issue(s)

Currently we don't have any request from our internal customers.

Full list

Top Vision Item(s)