This article was published on March 22, 2019

GitLab now automatically warns against merging API keys into your codebase

Everyone's made this rookie mistake before


GitLab now automatically warns against merging API keys into your codebase

GitLab, the hugely popular devops platform, today announced the introduction of secrets detection with version 11.9 of the service. This means that should someone inadvertently include an API key or secret in a commit to a shared repository, the service will warn the user.

From a security perspective, this is a huge advantage. API secrets are supposed to be that – secret. If they fall into the wrong hands, an attacker could use them to gain third party services at the developer’s expense.

AWS keys, for example, can be weaponized to spin up hundreds of hugely expensive instances, which can be used to mine cryptocurrencies. A stolen Twilio API key could be used to call expensive premium rate phone numbers or broadcast a deluge of SMS spam.

Even if you’re working on a private repository, you still shouldn’t bake API keys in the code. It’s terrible practice.

GitLab’s secret detection software is part of its static analysis tool, called SAST (Static Application Security Testing). This is primarily used to check code for other known vulnerabilities, like cross site scripting (XSS) flaws in websites. Should SAST see you’ve included an API key, it’ll warn you before you merge your commit into the main codebase.

The fact that it warns prior to committal is hugely helpful. Because it’s not warning after the fact, it means that developers don’t necessarily have to revoke the key as a precautionary measure, saving time, effort, and preventing any potential downtime.

It’s worth mentioning that GitHub has had a similar feature for a while. Since 2015, it’s proactively checked repositories for leaked OAuth tokens. In October of last year, it updated this service to check for a broader swathe of tokens, including those from Slack and Stripe. GitHub then warns these vendors so they can, if the circumstances require it, revoke the token.

Of course, it’s not clear if that’s helping shape user behavior. Stupid is as stupid does, and a recent study from North Carolina State University found as many as 100,000 repositories containing API tokens and cryptographic keys (PDF).

This isn’t the only update to come with GitLab 11.9. The service now offers better, more granular controls when it comes to merging updates. This is helpful for those teams that have naturally grown to the point where a one-size-fits-all approach doesn’t quite work.

GitLab has also open-sourced its ChatOps tool, allowing users of its free and basic self-managed plans to control CI/CD jobs from within messaging apps, like Slack and Mattermost.

This update is available now. And given that everyone’s made this rookie error at some point in their life (no shame), it’s probably for the best.


TNW Conference 2019 is coming! Check out our glorious new location, inspiring line-up of speakers and activities, and how to be a part of this annual tech bonanza by clicking here.

Get the TNW newsletter

Get the most important tech news in your inbox each week.