Exposure of confidential secret or token GitLab runner registration token
Description
The response body contains content that matches the pattern of a deprecated GitLab Runner registration token was identified. These tokens allow users to register a runner with the selected project. A malicious actor with access to this token can add a custom runner to the pipeline and possibly compromise the repository if the runner was used. Exposing this value could allow attackers to gain access to all resources granted by this token.
Remediation
For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on Credential exposure to the internet.
To rotate a runner registration token:
- Sign in to your GitLab account and visit the project that created the runner registration token
- In the left-hand menu, select “Settings”
- Under the “Settings” options, select “CI/CD”
- Under the “Runners” section, select the kebab menu (vertical ellipsis) next to the “New project runner”
- Select “Reset registration token” from the dropdown list
- When prompted select “Reset token” in the “Reset registration token” dialog
For more information, please see GitLabs documentation on using runner authentication tokens instead.
Details
| ID | Aggregated | CWE | Type | Risk |
|---|---|---|---|---|
| 798.143 | false | 798 | Passive | High |