The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
Good tooling helps people and teams stay resilient against mistakes.
GitLab Secret Detection helps you avoid a particularly dangerous type of mistake: leaking credentials or other secrets in your code repositories.
Even experienced developers and teams can slip up and cause serious risk by committing secrets into repositories. For example, a 2019 research paper reported that "thousands of new, unique secrets are leaked every day" in public repositories.
The potential damage is significant: secrets often provide access to sensitive data, production systems, or cloud resources that can be abused.
If a repository is public, any number of automated tools or malicious users can detect and abuse the secret—there are even public sites that watch for leaked secrets. And, even if a repository is private within a team, leaked secrets can no longer be trusted to uniquely identify the authorized user(s) in a non-repudiable way.
GitLab's Security Trends analysis found that 18% of projects hosted on GitLab had identified leaked secrets with Secret Detection.
GitLab was recently named as a Challenger in the 2021 Magic Quadrant for Application Security Testing Magic Quadrant.
GitLab Secret Detection helps you prevent the unintentional leak of sensitive information like passwords, authentication tokens, and private keys.
It checks source files and configuration files to detect well-known and common patterns that look like secrets or credentials and reports findings that are potentially risky to share.
Secret Detection doesn't target a specific language, so you can easily enable it in any project. Our approach is based on patterns for identifiable credentials like AWS tokens, API keys, and more.
We want everyone to be as secure as they can be, so:
In GitLab Ultimate, after you enable Secret Detection:
GitLab Secret Detection runs in your CI/CD pipelines and reports results. The Secret Detection category covers this feature.
Separately, GitLab offers other features that also relate to secret values:
Overall, we want to help developers write better code and worry less about common security mistakes. Our goal is to provide Secret Detection as a standard part of the standard software development lifecycle (SDLC). No one should have to think about secrets to be protected from leaking them.
The importance of these goals is validated by GitLab's 2020 DevSecOps Landscape Survey. With 3,650 respondents from 21 countries, the survey found:
User success metrics
At GitLab, we analyze product usage data to help us deliver better results. Team members can see the growth of GitLab Secret Detection on our performance indicators dashboard (private link).
The following measures would help us know how successful we are in achieving our goals:
Our first duty is to deliver a reliable, usable, trustworthy solution to our users. We generally handle high-severity bug fixes before we work on feature improvements, and we treat significant performance improvements as "feature work".
Our proactive work centers around two major themes:
We specifically plan to:
Longer-term, we hope to be able to take action on leaked secrets even earlier, in keeping with the Secure stage theme Shift Left. No, More Left Than That. This could mean running secret detection on developers' workstations or rejecting commits that include detected secrets.
We intend to expand detection and response workflows first, before we implement blocking features. We believe this approach:
At GitLab, we assess the maturity of each feature category.
The Category Maturity level for Secret Detection is currently Viable. We plan to mature it to Complete in 2023.
Secret Detection is maintained by the Static Analysis group, which also maintains Static Application Security Testing (SAST) and Code Quality.
Because Secret Detection is self-contained and only uses one analyzer, we can use Secret Detection to iterate quickly on changes that can be applied to Static Application Security Testing (SAST) and Code Quality.
We also seek to make improvements in other areas, for example:
glpat-
prefixView the full changelog of Secret Detection features we've announced.
There are a variety of vendors and open source projects offering Secret Detection solutions:
GitLab is built to help you keep all your DevSecOps workflows in a single platform. When you use GitLab Secret Detection:
We engage analysts to make them aware of the security features already available in GitLab. We blend analyst insights with what we hear from our customers, prospects, the larger market, and the security community to ensure we’re adapting as the landscape evolves.
Analysts usually include Secret Detection as a secondary feature of Application Security Testing (AST) coverage. See Category Direction - Static Application Security Testing (SAST) for up-to-date analyst coverage.
See all Secret Detection issues with the customer
Label.
See all Secret Detection issues.
Last Reviewed: 2022-10-06
Last Updated: 2022-10-06