Skip to content

Validity checks

Status: Experiment

  • Tier: Ultimate
  • Offering: GitLab.com

Version history

The availability of this feature is controlled by a feature flag. For more information, see the history. This feature is available for testing, but not ready for production use.

For a demonstration, see Validity Checks Demo.

GitLab validity checks determines whether a secret, like an access token, is active. A secret is active when:

  • It is not expired.
  • It can be used for authentication.

Because active secrets can be used to impersonate a legitimate user, they pose a greater security risk than inactive secrets. If several secrets are leaked at once, knowing which secrets are active is an important part of triage and remediation.

This feature is an experiment.

Enable validity checks

Prerequisites:

  • You must have a project with pipeline security scanning enabled.

To enable validity checks for a project:

  • Contact your GitLab representative and ask them to enable validity checks.

If validity checks are enabled, GitLab checks the status of detected secrets when the secret_detection CI/CD job is complete. To view a secret's status, view the vulnerability details page. To update the status of a secret, for example after revoking it, re-run the secret_detection CI/CD job.

Coverage

Validity checks supports the following secret types:

  • GitLab personal access tokens
  • Routable GitLab personal access tokens
  • GitLab deploy tokens
  • GitLab Runner authentication tokens
  • Routable GitLab Runner authentication tokens
  • GitLab Kubernetes agent tokens
  • GitLab SCIM OAuth tokens
  • GitLab CI/CD job tokens
  • GitLab incoming email tokens
  • GitLab feed tokens (v2)
  • GitLab pipeline trigger tokens

Secret status

A secret has one of the following statuses:

  • Possibly active - GitLab couldn't verify the secret status, or the secret type is not supported by validity checks.
  • Active - The secret is not expired and can be used for authentication.
  • Inactive - The secret is expired or revoked and cannot be used for authentication.

You should rotate Active and Possibly active detected secrets as soon as possible. If a secret has an unexpected status, run a new pipeline and wait for the secret_detection job to finish.