Skip to content

G
gitlab-ce
Commit be5fab5b authored by Russell Dickenson's avatar Russell Dickenson
Browse files
Options

Merge branch 'theoretick-master-patch-33236' into 'master' 

doc: Move secret post-processing to own section

See merge request gitlab-org/gitlab!57383
parents baf3c913 bcd7cc25
Show whitespace changes
Inline Side-by-side
Showing with 28 additions and 12 deletions
doc/user/application_security/secret_detection/index.md
View file @ be5fab5b
...@@ -133,18 +133,6 @@ The results are saved as a ...@@ -133,18 +133,6 @@ The results are saved as a
that you can later download and analyze. Due to implementation limitations, we that you can later download and analyze. Due to implementation limitations, we
always take the latest Secret Detection artifact available. always take the latest Secret Detection artifact available.
### Post-processing
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4639) in GitLab 13.6.
Upon detection of a secret, GitLab supports post processing hooks. These can be used to take actions like notifying the cloud service who issued the secret. The cloud provider can confirm the credentials and take remediation actions like revoking or reissuing a new secret and notifying the creator of the secret. Post-processing workflows vary by supported cloud providers.
GitLab currently supports post-processing for following service providers:
- Amazon Web Services (AWS)
Third party cloud and SaaS providers can [express integration interest by filling out this form](https://forms.gle/wWpvrtLRK21Q2WJL9). Learn more about the [technical details of post-processing secrets](https://gitlab.com/groups/gitlab-org/-/epics/4639).
### Customizing settings ### Customizing settings
The Secret Detection scan settings can be changed through [CI/CD variables](#available-variables) The Secret Detection scan settings can be changed through [CI/CD variables](#available-variables)
...@@ -249,6 +237,34 @@ From highest to lowest severity, the logging levels are: ...@@ -249,6 +237,34 @@ From highest to lowest severity, the logging levels are:
- `info` (default) - `info` (default)
- `debug` - `debug`
## Post-processing and revocation
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4639) in GitLab 13.6.
Upon detection of a secret, GitLab supports post-processing hooks. These can be used to take actions like notifying the cloud service who issued the secret. The cloud provider can confirm the credentials and take remediation actions like revoking or reissuing a new secret and notifying the creator of the secret. Post-processing workflows vary by supported cloud providers.
GitLab currently supports post-processing for following service providers:
- Amazon Web Services (AWS)
Third party cloud and SaaS providers can [express integration interest by filling out this form](https://forms.gle/wWpvrtLRK21Q2WJL9). Learn more about the [technical details of post-processing secrets](https://gitlab.com/groups/gitlab-org/-/epics/4639).
NOTE:
Post-processing is currently limited to a project's default branch, see the above epic for future efforts to support additional branches.
```mermaid
sequenceDiagram
autonumber
Rails->>+Sidekiq: gl-secret-detection-report.json
Sidekiq-->+Sidekiq: BuildFinishedWorker
Sidekiq-->+RevocationAPI: GET revocable keys types
RevocationAPI-->>-Sidekiq: OK
Sidekiq->>+RevocationAPI: POST revoke revocable keys
RevocationAPI-->>-Sidekiq: ACCEPTED
RevocationAPI-->>+Cloud Vendor: revoke revocable keys
Cloud Vendor-->>+RevocationAPI: ACCEPTED
```
## Full History Secret Scan ## Full History Secret Scan
GitLab 12.11 introduced support for scanning the full history of a repository. This new functionality GitLab 12.11 introduced support for scanning the full history of a repository. This new functionality
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7