include::../../../shared_content/secrets/description.adoc[]

== Why is this an issue?

include::../../../shared_content/secrets/rationale.adoc[]

=== What is the potential impact?

GitLab tokens are used for authentication and authorization purposes.
They are essentially access credentials that allow users or applications to
interact with the GitLab API.

With a GitLab token, you can perform various operations such as creating,
reading, updating, and deleting resources like repositories, issues, merge
requests, and more. Tokens can also be scoped to limit the permissions and
actions that can be performed.

A leaked GitLab token can have significant consequences for the security and
integrity of the associated account and resources. It exposes the account to
unauthorized access, potentially leading to data breaches and malicious actions.
The unintended audience can exploit the leaked token to gain unauthorized entry
into the GitLab account, allowing them to view, modify, or delete repositories,
issues, and other resources. This unauthorized access can result in the exposure
of sensitive data, such as proprietary code, customer information, or
confidential documents, leading to potential data breaches.

Moreover, the unintended audience can perform malicious actions within the account,
introducing vulnerabilities, injecting malicious code, or tampering with
settings. This can compromise the security of the account and the integrity of
the software development process.

Additionally, a leaked token can enable the
unintended audience to take control of the GitLab account, potentially changing
passwords, modifying settings, and adding or removing collaborators. This
account takeover can disrupt development and collaboration workflows, causing
reputational damage and operational disruptions.

Furthermore, the impact of a
leaked token extends beyond the immediate account compromise. It can have
regulatory and compliance implications, requiring organizations to report the
breach, notify affected parties, and potentially face legal and financial
consequences.

In general, the compromise of a GitLab token would lead to consequences referred to as supply chain attacks that can affect more than one's own organization.

== How to fix it

include::../../../shared_content/secrets/fix/revoke.adoc[]

include::../../../shared_content/secrets/fix/recent_use.adoc[]

include::../../../shared_content/secrets/fix/vault.adoc[]

=== Code examples

:example_secret: glpat-zcs1FfaxGnHfvzd7ExHz
:example_name: token
:example_env: TOKEN

include::../../../shared_content/secrets/examples.adoc[]

//=== How does this work?

//=== Pitfalls

//=== Going the extra mile

== Resources

include::../../../shared_content/secrets/resources/standards.adoc[]

//=== Benchmarks