Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Secure Stage / 13 Dec 2022
GitLab / Secure Stage / 13 Dec 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Demo: Automatic revocation of leaked Personal Access Tokens

Description

Quick demo of https://about.gitlab.com/releases/2022/11/22/gitlab-15-6-released/#beta-automatic-revocation-of-leaked-personal-access-tokens

GitLab Secret Detection finds leaked credentials in your codebase so you can revoke them and protect your organization. It detects many kinds of sensitive values, including GitLab Personal Access Tokens.

GitLab is dogfooding a new feature where Personal Access Tokens on GitLab.com are automatically revoked if Secret Detection finds them leaked on the default branch of a public repository.

If your organization is interested in participating in this open beta, please let us know using the form linked in the above release post

A

Hi everyone, my name is Lucas Charles I'm, a Staff backing engineer at gitlab and today we are going to be demoing. The new, auto revocation capability for personal access tokens, that's coming to you in 15.7.

A

So let me just share my screen here and we can run through this new feature.

A

Okay, so, as announced in our blog post for the 1506 release, we now have an open beta for the automatic revocation of leaked personal access tokens on gilab.com.

A

This new capability builds off our existing secret detection, feature by scanning for personal access tokens linked to a gitlab account and when that token is committed to a project on default Branch, it will automatically be revoked.

A

So you can click through right here to see the basic documentation of either the secret detection feature or the actual high-level architecture for how this relocation flow works. But let's just give it a try. So the first thing we're going to do here is we're going to sign in with a test user, and this should be enabled on any individual user. So in this case we're really just using a separate test user. So I, don't accidentally one of my um employee tokens.

A

Now we're going to sign in and um go straight to our profile page.

A

Access tokens and I'm going to create a new access token here and we're going to college geofpat, revocation test.

A

For now we're just going to leave this standard expiration and the scope doesn't really matter in the case of this feature, but we're going to just stick with the most minimal scope. We can just to ensure that we're minimizing our risk so we're going to go with the read user scope, we'll create that access token and showcase it here go ahead and copy that to my clipboard and then over here, I have my separate user now part of the reason I'm using a separate user here.

A

I could very well use the same user, but this alternate user is just demonstrating that, regardless of where the token leaks, it will be revoked across users, groups or projects.

A

So for this project we're just going to go straight in here, you can see it's a fairly standard, go project with a minimal readme and a CI configuration that has secret detection, enabled you can go ahead and go over to the pipeline view to see that and there's only one pipeline containing the secret detection job.

A

So as a prerequisite, we need to have secret detection running to detect these tokens. If we go over to our vulnerability report, you can also see that no tokens have yet been detected, so this is empty and we will go back to the default Branch. Let's go ahead and just open really any file works here, but we'll do it right here, add a new variables block and we'll call this. My secret lab tat token and we'll copy this one here.

A

Paste it in place and then we're going to commit this token now, what's going to happen when we commit this token is a couple things: the secret detection job will kick off in the pipeline on completion. It will persist this new token Discovery in the vulnerability dashboard and be visible here.

A

um Meanwhile, that will kick off a secondary call. That will revoke the token and when we reload our page here, we will no longer see an active personal token, since this will soon be revoked.

A

There is finally an aspect of the token revocation: that's triggering an email, so I have my inbox here open to show me when I get that email coming in. So let's give it a shot.

A

Okay, so the configuration is valid, thankfully, and uh we can go over to the pipeline page to see our latest pipeline.

A

Okay looks like there's a warning that one leak was found, so that's good. That looks like it probably found the token we were looking for. If you go over the secret tab security tab. You can also see this and if we go to our vulnerability reports.

A

We see this token right here now. It takes a second for the revocation to kick off, but as soon as that finishes, then we should see. Oh there we go, we just got our personal access. Token has been roped email, so the geopat revocation test token has been revoked. We go over here and we refresh.

A

We see that we no longer have a active personal access token, and if we refresh our vulnerability page here, we still see that it needs triage, because there was a leak. It requires a certain to review the change and make sure that um it was not used in the second or so that it was live and if you click through scroll to the bottom here, you will see detected one minute ago in this pipeline, and uh that is the feature.

A

This open Beta is rolling out to use it gradually as we're taking on uh test groups and ensuring that it works as expected and keeps everyone on the platform safe. You will see further news about this in upcoming releases. Thank you for listening and reach out. If you have any questions.