Secret Detection

Tier: Free, Premium, Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated

In GitLab 14.0, Secret Detection jobs secret_detection_default_branch and secret_detection were consolidated into one job, secret_detection.

People sometimes accidentally commit secrets like keys or API tokens to Git repositories. After a sensitive value is pushed to a remote repository, anyone with access to the repository can impersonate the authorized user of the secret for malicious purposes. Most organizations require exposed secrets to be revoked and replaced to address this risk.

Secret Detection scans your repository to help prevent your secrets from being exposed. Secret Detection scanning works on all text files, regardless of the language or framework used.

GitLab has two methods for detecting secrets which can be used simultaneously:

  • The pipeline method detects secrets during the project’s CI/CD pipeline. This method cannot reject pushes.
  • The pre-receive method detects secrets when users push changes to the remote Git branch. This method can reject pushes if a secret is detected.