feat: Auto-revoke glpats within TokenRevocationService
What does this MR do and why?
Automatically revokes GL Personal Access Tokens on detection. This feature is currently behind a feature flag, see #382610 (closed) rollout issue.
Parent issue: #371658 (closed) and handy diagram #371658 (comment 1159759669)
How to set up and validate locally
😬
Emphasis on locally so we don't have a leak prior to this Feature.enable(:gitlab_pat_auto_revocation)
ApplicationSetting.last.update(secret_detection_token_revocation_enabled: true)
- Create a gitlab personal access token (that hopefully relies on the default prefix if it hasn't been modified:
glpat-
) - Commit PAT to default branch of repository
- Let pipeline complete (after build completes
ScanSecurityReportSecretsWorker
must be ran) - Check if token was revoked via access tokens page
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Lucas Charles