The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
Stage | Secure |
Maturity | Viable |
Content Last Reviewed | 2024-01-26 |
This direction page describes GitLab's plans for the Secret Detection category, which protects you against leaking credentials, tokens, or other secrets on GitLab.
This page is maintained by the Product Manager for Static Analysis, Connor Gilbert.
Everyone can contribute to where GitLab Secret Detection goes next, and we'd love to hear from you. The best ways to participate in the conversation are to:
gitlab-org/gitlab
issue tracker.@gitlab-bot label ~"group::static analysis" ~"Category:Secret Detection"
so your issue lands in our triage workflow.GitLab Secret Detection helps you avoid a particularly dangerous type of mistake: leaking credentials or other secrets in your code repositories.
We want GitLab to be a safe place to develop software, so we're working to make Secret Detection a standard part of the software development lifecycle (SDLC). No one should have to think about secrets to be protected from leaking them.
Even experienced developers and teams can slip up and cause serious risk by committing secrets into their code repositories.
The potential damage is significant:
GitLab Secret Detection helps you prevent the unintentional leak of sensitive information like authentication tokens and private keys.
Secret Detection checks your Git repositories to detect secrets or credentials, then it reports potential findings. Today, Secret Detection jobs run in your CI/CD pipelines.
We want everyone to be secure, so:
In GitLab Ultimate, after you enable Secret Detection:
Secret Detection doesn't target a specific language, so you can easily enable it in any project. Our approach takes advantage of patterns for well-identifiable credentials like service account keys and API tokens, but also searches for more generic secret types like passwords in certain contexts.
To learn more, check the Secret Detection documentation.
Outside of the Secret Detection category, GitLab also offers other features that relate to secret values:
We're specifically focusing on solving the following user problems:
Those problems support two overall goals that are related but distinct:
Our strategic one-year focus is a balance between:
We generally are focusing more on the next-generation approach, but will still make high-impact improvements to the current architecture.
Specifically, we plan to focus on:
In the next 3 months, we are planning to:
We are also looking forward by:
We are currently working on:
Our recent work includes:
Check older release posts for our previous work in this area.
ℹ️ Best In Class (BIC) is an indicator of forecasted near-term market performance based on a combination of factors, including analyst views, market news, and feedback from the sales and product teams. It is critical that we understand where GitLab appears in the BIC landscape.
Secret Detection products should:
The plan described above reinforces our competitive standing.
In addition to those main themes, we will likely pursue additional detection techniques including:
Secret Detection is available in a variety of packaging types:
We analyze our product against each of these different product types because we serve customers who are accustomed to each of them. Our approach emphasizes the value of the most comprehensive DevSecOps platform by:
As with many security categories, Secret Detection is a bridge between different communities:
Secret Detection products vary in how they're provided:
GitLab packages and prices Secret Detection primarily as part of Ultimate. Basic protection features are available in all tiers. We intend to expand the level of protection available in all tiers, while still delivering unique organization-level value in Ultimate.
Analysts usually include Secret Detection as a secondary feature of Application Security Testing (AST) coverage. See Category Direction - Static Application Security Testing (SAST) for up-to-date analyst coverage.