From a security perspective, this is a huge advantage. API secrets are supposed to be that – secret. If they fall into the wrong hands, an attacker could use them to gain third party services at the developer’s expense.
AWS keys, for example, can be weaponized to spin up hundreds of hugely expensive instances, which can be used to mine cryptocurrencies. A stolen Twilio API key could be used to call expensive premium rate phone numbers or broadcast a deluge of SMS spam.
Even if you’re working on a private repository, you still shouldn’t bake API keys in the code. It’s terrible practice.
GitLab’s secret detection software is part of its static analysis tool, called SAST (Static Application Security Testing). This is primarily used to check code for other known vulnerabilities, like cross site scripting (XSS) flaws in websites. Should SAST see you’ve included an API key, it’ll warn you before you merge your commit into the main codebase.
The fact that it warns prior to committal is hugely helpful. Because it’s not warning after the fact, it means that developers don’t necessarily have to revoke the key as a precautionary measure, saving time, effort, and preventing any potential downtime.
Of course, it’s not clear if that’s helping shape user behavior. Stupid is as stupid does, and a recent study from North Carolina State University found as many as 100,000 repositories containing API tokens and cryptographic keys (PDF).
This isn’t the only update to come with GitLab 11.9. The service now offers better, more granular controls when it comes to merging updates. This is helpful for those teams that have naturally grown to the point where a one-size-fits-all approach doesn’t quite work.
GitLab has also open-sourced its ChatOps tool, allowing users of its free and basic self-managed plans to control CI/CD jobs from within messaging apps, like Slack and Mattermost.
This update is available now. And given that everyone’s made this rookie error at some point in their life (no shame), it’s probably for the best.
TNW Conference 2019 is coming! Check out our glorious new location, inspiring line-up of speakers and activities, and how to be a part of this annual tech bonanza by clicking here.