GitLab now automatically warns against merging API keys into your codebase

GitLab now automatically warns against merging API keys into your codebase 1

GitLab, the hugely popular devops platform, today announced the introduction of secrets detection with version 11.9 of the service. This means that should someone inadvertently include an API key or secret in a commit to a shared repository, the service will warn the user.

From a security perspective, this is a huge advantage. API secrets are supposed to be that – secret. If they fall into the wrong hands, an attacker could use them to gain third party services at the developer’s expense.

AWS keys, for example, can be weaponized to spin up hundreds of hugely expensive instances, which can be used to mine cryptocurrencies. A stolen Twilio API key could be used to call expensive premium rate phone numbers or broadcast a deluge of SMS spam.

Even if you’re working on a private repository, you still shouldn’t bake API keys in the code. It’s terrible practice.

GitLab’s secret detection software is part of its static analysis tool, called SAST (Static Application Security Testing). This is primarily used to check code for other known vulnerabilities, like cross site scripting (XSS) flaws in websites. Should SAST see you’ve included an API key, it’ll warn you before you merge your commit into the main codebase.

The fact that it warns prior to committal is hugely helpful. Because it’s not warning after the fact, it means that developers don’t necessarily have to revoke the key as a precautionary measure, saving time, effort, and preventing any potential downtime.

It’s worth mentioning that GitHub has had a similar feature for a while. Since 2015, it’s proactively checked repositories for leaked OAuth tokens. In October of last year, it updated this service to check for a broader swathe of tokens, including those from Slack and Stripe. GitHub then warns these vendors so they can, if the circumstances require it, revoke the token.

Of course, it’s not clear if that’s helping shape user behavior. Stupid is as stupid does, and a recent study from North Carolina State University found as many as 100,000 repositories containing API tokens and cryptographic keys (PDF).

This isn’t the only update to come with GitLab 11.9. The service now offers better, more granular controls when it comes to merging updates. This is helpful for those teams that have naturally grown to the point where a one-size-fits-all approach doesn’t quite work.

GitLab has also open-sourced its ChatOps tool, allowing users of its free and basic self-managed plans to control CI/CD jobs from within messaging apps, like Slack and Mattermost.

This update is available now. And given that everyone’s made this rookie error at some point in their life (no shame), it’s probably for the best.


TNW Conference 2019 is coming! Check out our glorious new location, inspiring line-up of speakers and activities, and how to be a part of this annual tech bonanza by clicking here.

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Crypto Scams

Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
April 23, 2022
Prove
Joon Pak Head of Crypto at Prove talks to Us about Crypto Fraud And More
April 11, 2022
Mintable
Mintable CEO Zach Burks Talks to Us about the Opensea Stolen NFTs and Their Recovery
March 21, 2022
Crypto Crime
Crypto Crime Surges To Record Highs As Thieves Follow Market Buzz – Chainalysis 2022 Report
February 24, 2022
Bots Circumvent 2FA Login At Coinbase And Other Crypto Exchanges In 2022
Bots Have Circumvented 2FA Logins At Coinbase And Other Crypto Exchanges In 2022
February 17, 2022

Automated trading with HaasBot Crypto Trading Bots

Blockchain/Cryptocurrency Questions and Answers

Russia
Roundtable Interview-What is the Effect of The Russia-Ukraine War on Cryptocurrency Prices?
March 4, 2022
GamStop
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
Cryptocurrency
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
Ethereum
The Unconventional Guide to Ethereum
October 28, 2021


CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin29,356 0.26 % 3.51 % 1.90 %
Ethereum1,980.4 0.33 % 4.06 % 2.24 %
Tether1.001 0.04 % 0.08 % 0.09 %
BNB327.37 0.21 % 0.03 % 9.79 %
USD Coin0.9989 0.16 % 0.08 % 0.04 %
XRP0.4074 0.62 % 3.54 % 3.81 %
Binance USD1.001 0.18 % 0.20 % 0.11 %
Cardano0.9566 0.22 % 0.68 % 6.96 %
Solana49.66 0.33 % 7.22 % 7.44 %
Dogecoin0.08440 0.22 % 4.05 % 4.09 %

bitcoin
Bitcoin (BTC) $ 29,412.00
ethereum
Ethereum (ETH) $ 1,985.59
tether
Tether (USDT) $ 1.00
bnb
BNB (BNB) $ 327.07
usd-coin
USD Coin (USDC) $ 1.00
xrp
XRP (XRP) $ 0.410663
binance-usd
Binance USD (BUSD) $ 1.00
cardano
Cardano (ADA) $ 0.52046
solana
Solana (SOL) $ 49.78
dogecoin
Dogecoin (DOGE) $ 0.083997