Skip to content

GitLab Code Commit

Step 1: Locate the Exposed Token with SailPoint Entro Platform

  • Use the link provided by SailPoint Entro to navigate directly to the GitLab repository where the token was exposed.

Step 2: Revoke or Rotate the Exposed Token

To remediate the issue, use the RIGOR workflow:

  • Redact Sensitive Information: Remove the exposed token from the affected code, files, or configuration in the GitLab repository. If possible, update the PR to replace the token with references to securely stored tokens. Push new commits to the Pull Request that remove the exposed token from the code or configurations. If sensitive data has been committed to the repository history, use Git’s filter-branch, BFG Repo-Cleaner, or Gitlab's Secret Detection feature to remove it from the commit history.

  • Inform the commit writer about the token exposure so that the practice is not repeated.

  • Generate a new token if it is still needed and ensure it is securely stored, avoiding direct exposure in code, configuration files, or environment variables.

  • Organize and take notes throughout this process as they will be necessary for a future root cause analysis, response plans, etc...

  • Revoke any exposed tokens through the issuing service based on the token type provided by SailPoint Entro. Refer to Key Rotation Best Practices.

Step 3 (optional) : Use Gitlab Secrets or External Secret Management

Consider using Gitlab Secrets in Gitlab Actions to securely manage sensitive information without hard-coding it in the repository.

Alternatively, integrate with an external secret management service such as AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault to securely store and access tokens and other sensitive data.

Step 4: Update Gitlab Workflows to Access Secrets Securely

  • Update Gitlab Actions workflows and scripts associated with the Pull Request to access sensitive data from Gitlab Secrets or external secret management systems.

  • Modify workflows to fetch secrets dynamically during runtime, ensuring that sensitive data is handled securely without being hard-coded in the code or Pull Request.

  • Use GitLab CI/CD environment variables to securely manage sensitive information without hard-coding it in the repository, or integrate with an external secret management service from step 3.

Step 5: Audit Access

Review Gitlab’s audit logs, Pull Request history, and repository security settings to ensure that no unauthorized access occurred while the token was exposed.

Step 6: Monitor

Enable monitoring and set up Configuration notifications in Gitlab or using external monitoring tools to notify you of any unusual activities related to Pull Request access or sensitive data exposure.

By following these steps, you can effectively manage the exposed token detected by SailPoint Entro in a Gitlab Pull Request, ensuring secure handling of sensitive information and enhancing the overall security of your code review process.