Secret Detection Runbooks

Overview

This page lists runbooks used by the Secret Detection team for monitoring, mitigating and responding to an incident.

Runbooks


Secret Push Protection Monitoring
When to use this runbook? This runbook is intended to be used when monitoring the secret push protection feature to identify and mitigate any reliability issues or performance regressions that may occur when it is enabled on Gitlab.com. The runbook can also be used to understand more about relevant dashboards below and how to improve them: Secret Push Protection – Overview Dashboard What to monitor? While the feature, in its current form, doesn’t have any external components and is entirely encapsulated within the application server as a dependency, it does interact with a number of components as can be seen in this push event sequence diagram.
Secret push protection performance testing
When to use this runbook? Use this runbook for: Running GPT tests - for running tests and comparing with previous benchmarks Deploying a new version of GitLab to GET - for updating a GET instance, most likely to test out changes related to secret push protection Setting up a new GET environment - for testing different reference architectures Prerequisites gcloud (official instructions) - for running various commands, and for logging in to the test runner vm The Static Analysis GCP Project (see Resources section) - access required to make changes to the infrastructure Running GPT tests Manual testing Get the url and password for the root user from 1password by searching for Static Analysis in the Engineering Vault.
Secret push protection troubleshooting
When to use this runbook? Use this runbook for troubleshooting Production issues related to the secret push protection feature. Relevant settings Setting Type Level Visibility pre_receive_secret_detection_beta_release Feature Flag Instance Not visible, has to be toggled via ChatOps. pre_receive_secret_detection_enabled Database Setting Instance Only in a Dedicated instance, or with pre_receive_secret_detection_beta_release enabled and only when the feature is licensed (in Ultimate). pre_receive_secret_detection_push_check Feature Flag Project Not visible, has to be toggled via ChatOps.
Last modified June 27, 2024: Fix various vale errors (46417d02)