2 min

Tags in this article

, , , ,

GitLab has announced that it will add confidentiality detection to version 11.9 of the service. This means that if someone accidentally adds an API key or other secret to a commit to a shared repository, the service alerts the user. That’s what The Next Web says.

If an API key falls into the wrong hands, an attacker can use it to use third party services at the developer’s expense. For example, AWS keys can be used to set up hundreds of expensive instances, which can be used to mine cryptic currency. A stolen Twilio API key can be used to call expensive premium phone numbers or to send spam via SMS.

SAST

GitLab’s new software is part of its static analysis tool called SAST. The tool is mainly used to check code for other known vulnerabilities, such as cross site scripting (XSS) errors in websites. Should SAST now see that there is an API key in the code, it will give a warning before the commit is merged with the general codebase.

GitHub has had a similar function for some time. Since 2015, the repositories have been proactively checking for leaked OAuth tokens. Since October last year it also checks on a wider set of tokens, including those of Slack and Stripe. However, research by North Carolina State University showed that 100,000 repositories contained API tokens and cryptographic keys.

6 percent of those keys were removed within an hour, which means that the owners of the repositories were immediately aware of their mistake. At 12 percent the key was removed after one day, at 19 percent only after sixteen days. Eighty-one percent is therefore not removed.

Other updates

GitLab 11.9 also gets better, more detailed controls on the merging of updates. This can be useful for teams that are at a point where a general approach no longer works. In addition, the ChatOps tool has been made open source, allowing users of the free and basic subscription to manage CI/CD jobs from messaging apps such as Slack and Mattermost.

The update is available immediately.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.