GitLab Token

Description

General

• Documentation: https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html
• Summary: GitLab is an open-source code hosting website that provides issue tracking, continuous integration and deployment pipeline. This detector aims at detecting tokens used to programmatically act on behalf of a user.

Details for GitLab Token

• Family: token

• Category: version_control_platform

• Company: GitLab

• High recall: False

• Validity check available: True

• Analyzer available: True

• Revoker available: True

• On-premise instances exist: True

• Only valid secrets raise an alert: False

• Occurrences found for one million commits: 5.51

• Prefixed: False

Details for GitLab Token

• Family: token

• Category: version_control_platform

• Company: GitLab

• High recall: False

• Validity check available: True

• Analyzer available: True

• Revoker available: True

• On-premise instances exist: True

• Only valid secrets raise an alert: True

• Occurrences found for one million commits: 0.08

• Prefixed: False

Details for GitLab Token

• Family: token

• Category: version_control_platform

• Company: GitLab

• High recall: True

• Validity check available: True

• Analyzer available: True

• Revoker available: True

• On-premise instances exist: True

• Only valid secrets raise an alert: False

• Occurrences found for one million commits: 127.5

• Prefixed: True

Secret Analyzer

Analysis Method

• Provider allows scopes enumeration: False
• Total network call count: 382
• Total call count may vary: True

HTTP Calls

Requests are designed to capture metadata and not to function effectively.

• DELETE: /api/v4/groups/*
• DELETE: /api/v4/groups/*/-/virtual_registries/cleanup/policy
• DELETE: /api/v4/groups/*/dependency_proxy/cache
• DELETE: /api/v4/groups/*/enterprise_users/*
• DELETE: /api/v4/groups/*/ldap_group_links
• DELETE: /api/v4/groups/*/member_roles/*
• DELETE: /api/v4/groups/*/saml/*
• DELETE: /api/v4/groups/*/saml_group_links/*
• DELETE: /api/v4/groups/*/scim/*
• DELETE: /api/v4/groups/*/service_accounts/*
• DELETE: /api/v4/groups/*/service_accounts/*/personal_access_tokens/*
• DELETE: /api/v4/groups/*/ssh_certificates/*
• DELETE: /api/v4/personal_access_tokens/*
• DELETE: /api/v4/projects/*
• DELETE: /api/v4/projects/*/access_requests/*
• DELETE: /api/v4/projects/*/access_tokens/*
• DELETE: /api/v4/projects/*/approval_rules/*
• DELETE: /api/v4/projects/*/artifacts
• DELETE: /api/v4/projects/*/badges/*
• DELETE: /api/v4/projects/*/cluster_agents/*
• DELETE: /api/v4/projects/*/cluster_agents/*/tokens/*
• DELETE: /api/v4/projects/*/cluster_agents/*/url_configurations/*
• DELETE: /api/v4/projects/*/clusters/*
• DELETE: /api/v4/projects/*/debian_distributions/*
• DELETE: /api/v4/projects/*/deploy_keys/*
• DELETE: /api/v4/projects/*/deploy_tokens/*
• DELETE: /api/v4/projects/*/deployments/*
• DELETE: /api/v4/projects/*/environments/review_apps
• DELETE: /api/v4/projects/*/external_status_checks/*
• DELETE: /api/v4/projects/*/feature_flags/*
• DELETE: /api/v4/projects/*/feature_flags_user_lists/*
• DELETE: /api/v4/projects/*/freeze_periods/*
• DELETE: /api/v4/projects/*/hooks/*
• DELETE: /api/v4/projects/*/hooks/*/custom_headers/*
• DELETE: /api/v4/projects/*/hooks/*/url_variables/*
• DELETE: /api/v4/projects/*/invitations/*
• DELETE: /api/v4/projects/*/issues/*
• DELETE: /api/v4/projects/*/job_token_scope/allowlist/*
• DELETE: /api/v4/projects/*/jobs/*/artifacts
• DELETE: /api/v4/projects/*/labels
• DELETE: /api/v4/projects/*/members/*
• DELETE: /api/v4/projects/*/merge_requests/*
• DELETE: /api/v4/projects/*/merge_requests/*/approval_rules/*
• DELETE: /api/v4/projects/*/merge_requests/*/blocks/*
• DELETE: /api/v4/projects/*/packages/*
• DELETE: /api/v4/projects/*/pages
• DELETE: /api/v4/projects/*/pages/domains/*
• DELETE: /api/v4/projects/*/pipeline_schedules/*
• DELETE: /api/v4/projects/*/pipelines/*
• DELETE: /api/v4/projects/*/protected_environments/*
• DELETE: /api/v4/projects/*/push_rule
• DELETE: /api/v4/projects/*/registry/protection/repository/rules/*
• DELETE: /api/v4/projects/*/registry/protection/tag/rules/*
• DELETE: /api/v4/projects/*/registry/repositories/*
• DELETE: /api/v4/projects/*/releases/*
• DELETE: /api/v4/projects/*/releases/*/assets/links/*
• DELETE: /api/v4/projects/*/remote_mirrors/*
• DELETE: /api/v4/projects/*/repository/commits/*/discussions/*/notes/*
• DELETE: /api/v4/projects/*/repository/files/*
• DELETE: /api/v4/projects/*/repository/merged_branches
• DELETE: /api/v4/projects/*/repository/tags/*
• DELETE: /api/v4/projects/*/secure_files/*
• DELETE: /api/v4/projects/*/terraform/state/*
• DELETE: /api/v4/projects/*/triggers/*
• DELETE: /api/v4/projects/*/uploads/*
• DELETE: /api/v4/projects/*/variables/*
• DELETE: /api/v4/projects/*/vulnerabilities/*/notes/*
• DELETE: /api/v4/projects/*/wikis/*
• DELETE: /api/v4/snippets/*
• DELETE: /api/v4/user/emails/*
• DELETE: /api/v4/user/gpg_keys/*
• DELETE: /api/v4/user/keys/*
• GET: /api/v4/bulk_imports
• GET: /api/v4/bulk_imports/*/entities/*/failures
• GET: /api/v4/bulk_imports/entities
• GET: /api/v4/groups
• GET: /api/v4/groups/*/-/virtual_registries/cleanup/policy
• GET: /api/v4/groups/*/-/virtual_registries/packages/npm/registries
• GET: /api/v4/groups/*/enterprise_users
• GET: /api/v4/groups/*/epics/*/resource_label_events
• GET: /api/v4/groups/*/export/download
• GET: /api/v4/groups/*/placeholder_reassignments
• GET: /api/v4/groups/*/provisioned_users
• GET: /api/v4/groups/*/saml/identities
• GET: /api/v4/groups/*/saml_group_links
• GET: /api/v4/groups/*/saml_users
• GET: /api/v4/groups/*/scim/identities
• GET: /api/v4/groups/*/service_accounts/*/personal_access_tokens
• GET: /api/v4/groups/*/ssh_certificates
• GET: /api/v4/member_roles
• GET: /api/v4/metadata
• GET: /api/v4/namespaces
• GET: /api/v4/namespaces/*/gitlab_subscription
• GET: /api/v4/notification_settings
• GET: /api/v4/orbit/schema
• GET: /api/v4/personal_access_tokens
• GET: /api/v4/personal_access_tokens/self
• GET: /api/v4/projects
• GET: /api/v4/projects/*/-/search/semantic
• GET: /api/v4/projects/*/access_requests
• GET: /api/v4/projects/*/access_tokens
• GET: /api/v4/projects/*/approval_rules
• GET: /api/v4/projects/*/approvals
• GET: /api/v4/projects/*/avatar
• GET: /api/v4/projects/*/badges
• GET: /api/v4/projects/*/ci/lint
• GET: /api/v4/projects/*/cluster_agents
• GET: /api/v4/projects/*/cluster_agents/*/tokens
• GET: /api/v4/projects/*/cluster_agents/*/url_configurations
• GET: /api/v4/projects/*/clusters
• GET: /api/v4/projects/*/debian_distributions
• GET: /api/v4/projects/*/dependencies
• GET: /api/v4/projects/*/deploy_keys
• GET: /api/v4/projects/*/deploy_tokens
• GET: /api/v4/projects/*/deployments
• GET: /api/v4/projects/*/environments
• GET: /api/v4/projects/*/export
• GET: /api/v4/projects/*/export/download
• GET: /api/v4/projects/*/export_relations/download
• GET: /api/v4/projects/*/export_relations/status
• GET: /api/v4/projects/*/external_status_checks
• GET: /api/v4/projects/*/feature_flags
• GET: /api/v4/projects/*/feature_flags_user_lists
• GET: /api/v4/projects/*/freeze_periods
• GET: /api/v4/projects/*/hooks
• GET: /api/v4/projects/*/import
• GET: /api/v4/projects/*/invitations
• GET: /api/v4/projects/*/issues
• GET: /api/v4/projects/*/issues/*/resource_label_events
• GET: /api/v4/projects/*/job_token_scope
• GET: /api/v4/projects/*/job_token_scope/allowlist
• GET: /api/v4/projects/*/jobs
• GET: /api/v4/projects/*/jobs/*/artifacts
• GET: /api/v4/projects/*/labels
• GET: /api/v4/projects/*/members
• GET: /api/v4/projects/*/merge_request_approval_setting
• GET: /api/v4/projects/*/merge_requests
• GET: /api/v4/projects/*/merge_requests/*/approval_rules
• GET: /api/v4/projects/*/merge_requests/*/approvals
• GET: /api/v4/projects/*/merge_requests/*/blocks
• GET: /api/v4/projects/*/merge_requests/*/resource_label_events
• GET: /api/v4/projects/*/merge_requests/*/status_checks
• GET: /api/v4/projects/*/merge_trains
• GET: /api/v4/projects/*/mirror/pull
• GET: /api/v4/projects/*/ml/mlflow/api/*.0/mlflow-artifacts/artifacts
• GET: /api/v4/projects/*/ml/mlflow/api/*.0/mlflow/runs/get
• GET: /api/v4/projects/*/packages
• GET: /api/v4/projects/*/packages/*/pipelines
• GET: /api/v4/projects/*/pages
• GET: /api/v4/projects/*/pages/domains
• GET: /api/v4/projects/*/pipeline_schedules
• GET: /api/v4/projects/*/pipelines
• GET: /api/v4/projects/*/protected_branches
• GET: /api/v4/projects/*/protected_environments
• GET: /api/v4/projects/*/protected_tags
• GET: /api/v4/projects/*/push_rule
• GET: /api/v4/projects/*/registry/protection/repository/rules
• GET: /api/v4/projects/*/registry/protection/tag/rules
• GET: /api/v4/projects/*/relation-imports
• GET: /api/v4/projects/*/releases
• GET: /api/v4/projects/*/releases/*/assets/links
• GET: /api/v4/projects/*/remote_mirrors
• GET: /api/v4/projects/*/remote_mirrors/*/public_key
• GET: /api/v4/projects/*/repository/branches
• GET: /api/v4/projects/*/repository/commits
• GET: /api/v4/projects/*/repository/tags
• GET: /api/v4/projects/*/repository/tree
• GET: /api/v4/projects/*/resource_groups
• GET: /api/v4/projects/*/runners
• GET: /api/v4/projects/*/secure_files
• GET: /api/v4/projects/*/security_settings
• GET: /api/v4/projects/*/statistics
• GET: /api/v4/projects/*/templates/licenses
• GET: /api/v4/projects/*/terraform/state/*
• GET: /api/v4/projects/*/triggers
• GET: /api/v4/projects/*/uploads
• GET: /api/v4/projects/*/variables
• GET: /api/v4/projects/*/vulnerabilities
• GET: /api/v4/projects/*/vulnerabilities/*/notes
• GET: /api/v4/projects/*/wikis
• GET: /api/v4/search
• GET: /api/v4/security/vulnerability_exports/*
• GET: /api/v4/snippets
• GET: /api/v4/todos
• GET: /api/v4/user
• GET: /api/v4/user/activities
• GET: /api/v4/user/emails
• GET: /api/v4/user/gpg_keys
• GET: /api/v4/user/keys
• GET: /api/v4/user/preferences
• GET: /api/v4/user/status
• GET: /api/v4/user/support_pin
• GET: /api/v4/user_counts
• GET: /api/v4/users/*
• GET: /api/v4/users/*/followers
• GET: /api/v4/users/*/following
• GET: /api/v4/users/*/starred_projects
• PATCH: /api/v4/groups/*/-/virtual_registries/cleanup/policy
• PATCH: /api/v4/groups/*/enterprise_users/*
• PATCH: /api/v4/groups/*/enterprise_users/*/disable_two_factor
• PATCH: /api/v4/groups/*/saml/*
• PATCH: /api/v4/groups/*/scim/*
• PATCH: /api/v4/projects/*/job_token_scope
• PATCH: /api/v4/projects/*/pages
• PATCH: /api/v4/projects/*/protected_branches/*
• PATCH: /api/v4/projects/*/registry/protection/repository/rules/*
• PATCH: /api/v4/projects/*/registry/protection/tag/rules/*
• POST: /api/v4/ai/duo_workflows/workflows/*/resume
• POST: /api/v4/bulk_imports
• POST: /api/v4/chat/completions
• POST: /api/v4/code_suggestions/completions
• POST: /api/v4/code_suggestions/connection_details
• POST: /api/v4/code_suggestions/direct_access
• POST: /api/v4/code_suggestions/enabled
• POST: /api/v4/groups
• POST: /api/v4/groups/*/-/virtual_registries/cleanup/policy
• POST: /api/v4/groups/*/-/virtual_registries/packages/npm/registries
• POST: /api/v4/groups/*/access_requests
• POST: /api/v4/groups/*/archive
• POST: /api/v4/groups/*/export
• POST: /api/v4/groups/*/ldap_group_links
• POST: /api/v4/groups/*/ldap_sync
• POST: /api/v4/groups/*/member_roles
• POST: /api/v4/groups/*/members/approve_all
• POST: /api/v4/groups/*/restore
• POST: /api/v4/groups/*/saml_group_links
• POST: /api/v4/groups/*/service_accounts/*/personal_access_tokens
• POST: /api/v4/groups/*/service_accounts/*/personal_access_tokens/*/rotate
• POST: /api/v4/groups/*/share
• POST: /api/v4/groups/*/ssh_certificates
• POST: /api/v4/groups/*/transfer
• POST: /api/v4/groups/import
• POST: /api/v4/import/bitbucket
• POST: /api/v4/import/bitbucket_server
• POST: /api/v4/import/github
• POST: /api/v4/import/github/cancel
• POST: /api/v4/import/github/gists
• POST: /api/v4/personal_access_tokens/*/rotate
• POST: /api/v4/projects
• POST: /api/v4/projects/*/access_tokens
• POST: /api/v4/projects/*/access_tokens/self/rotate
• POST: /api/v4/projects/*/approval_rules
• POST: /api/v4/projects/*/approvals
• POST: /api/v4/projects/*/archive
• POST: /api/v4/projects/*/badges
• POST: /api/v4/projects/*/catalog/publish
• POST: /api/v4/projects/*/ci/lint
• POST: /api/v4/projects/*/cluster_agents
• POST: /api/v4/projects/*/cluster_agents/*/tokens
• POST: /api/v4/projects/*/cluster_agents/*/url_configurations
• POST: /api/v4/projects/*/clusters/user
• POST: /api/v4/projects/*/debian_distributions
• POST: /api/v4/projects/*/dependency_list_exports
• POST: /api/v4/projects/*/deploy_keys
• POST: /api/v4/projects/*/deploy_keys/*/enable
• POST: /api/v4/projects/*/deploy_tokens
• POST: /api/v4/projects/*/deployments
• POST: /api/v4/projects/*/deployments/*/approval
• POST: /api/v4/projects/*/environments
• POST: /api/v4/projects/*/environments/stop_stale
• POST: /api/v4/projects/*/export
• POST: /api/v4/projects/*/export_relations
• POST: /api/v4/projects/*/external_status_checks
• POST: /api/v4/projects/*/feature_flags
• POST: /api/v4/projects/*/feature_flags_user_lists
• POST: /api/v4/projects/*/fork
• POST: /api/v4/projects/*/freeze_periods
• POST: /api/v4/projects/*/hooks
• POST: /api/v4/projects/*/hooks/*/events/*/resend
• POST: /api/v4/projects/*/hooks/*/test/*
• POST: /api/v4/projects/*/invitations
• POST: /api/v4/projects/*/issues
• POST: /api/v4/projects/*/issues/*/todo
• POST: /api/v4/projects/*/job_token_scope/allowlist
• POST: /api/v4/projects/*/jobs/*/artifacts/keep
• POST: /api/v4/projects/*/jobs/*/cancel
• POST: /api/v4/projects/*/jobs/*/erase
• POST: /api/v4/projects/*/jobs/*/play
• POST: /api/v4/projects/*/labels
• POST: /api/v4/projects/*/members
• POST: /api/v4/projects/*/merge_requests
• POST: /api/v4/projects/*/merge_requests/*/approval_rules
• POST: /api/v4/projects/*/merge_requests/*/approve
• POST: /api/v4/projects/*/merge_requests/*/blocks
• POST: /api/v4/projects/*/merge_requests/*/cancel_merge_when_pipeline_succeeds
• POST: /api/v4/projects/*/merge_requests/*/pipelines
• POST: /api/v4/projects/*/merge_requests/*/status_check_responses
• POST: /api/v4/projects/*/merge_requests/*/status_checks/*/retry
• POST: /api/v4/projects/*/merge_trains/merge_requests/*
• POST: /api/v4/projects/*/mirror/pull
• POST: /api/v4/projects/*/ml/mlflow/api/*.0/mlflow/runs/create
• POST: /api/v4/projects/*/ml/mlflow/api/*.0/mlflow/runs/delete
• POST: /api/v4/projects/*/ml/mlflow/api/*.0/mlflow/runs/log-batch
• POST: /api/v4/projects/*/ml/mlflow/api/*.0/mlflow/runs/update
• POST: /api/v4/projects/*/packages/composer
• POST: /api/v4/projects/*/pages/domains
• POST: /api/v4/projects/*/pipeline
• POST: /api/v4/projects/*/pipeline_schedules
• POST: /api/v4/projects/*/pipeline_schedules/*/play
• POST: /api/v4/projects/*/pipelines/*/retry
• POST: /api/v4/projects/*/protected_branches
• POST: /api/v4/projects/*/protected_environments
• POST: /api/v4/projects/*/protected_tags
• POST: /api/v4/projects/*/push_rule
• POST: /api/v4/projects/*/registry/protection/repository/rules
• POST: /api/v4/projects/*/registry/protection/tag/rules
• POST: /api/v4/projects/*/releases
• POST: /api/v4/projects/*/releases/*/assets/links
• POST: /api/v4/projects/*/remote_mirrors
• POST: /api/v4/projects/*/remote_mirrors/*/sync
• POST: /api/v4/projects/*/repository/branches
• POST: /api/v4/projects/*/repository/commits/*/comments
• POST: /api/v4/projects/*/repository/files/*
• POST: /api/v4/projects/*/repository/tags
• POST: /api/v4/projects/*/runners
• POST: /api/v4/projects/*/runners/reset_registration_token
• POST: /api/v4/projects/*/secure_files
• POST: /api/v4/projects/*/share
• POST: /api/v4/projects/*/star
• POST: /api/v4/projects/*/terraform/state/*
• POST: /api/v4/projects/*/terraform/state/*/lock
• POST: /api/v4/projects/*/triggers
• POST: /api/v4/projects/*/variables
• POST: /api/v4/projects/*/vulnerabilities
• POST: /api/v4/projects/*/vulnerabilities/*/notes
• POST: /api/v4/projects/*/wikis
• POST: /api/v4/projects/import
• POST: /api/v4/projects/import-relation
• POST: /api/v4/security/projects/*/vulnerability_exports
• POST: /api/v4/snippets
• POST: /api/v4/topics
• POST: /api/v4/topics/merge
• POST: /api/v4/usage_data/increment_counter
• POST: /api/v4/usage_data/track_event
• POST: /api/v4/user/emails
• POST: /api/v4/user/gpg_keys
• POST: /api/v4/user/gpg_keys/*/revoke
• POST: /api/v4/user/keys
• POST: /api/v4/user/personal_access_tokens
• POST: /api/v4/user/runners
• POST: /api/v4/users/*/follow
• POST: /api/v4/users/*/unfollow
• PUT: /api/v4/projects/*/access_requests/*/approve
• PUT: /api/v4/projects/*/approval_rules/*
• PUT: /api/v4/projects/*/badges/*
• PUT: /api/v4/projects/*/clusters/*
• PUT: /api/v4/projects/*/custom_attributes/*
• PUT: /api/v4/projects/*/debian_distributions/*
• PUT: /api/v4/projects/*/deploy_keys/*
• PUT: /api/v4/projects/*/deployments/*
• PUT: /api/v4/projects/*/environments/*
• PUT: /api/v4/projects/*/external_status_checks/*
• PUT: /api/v4/projects/*/feature_flags/*
• PUT: /api/v4/projects/*/feature_flags_user_lists/*
• PUT: /api/v4/projects/*/freeze_periods/*
• PUT: /api/v4/projects/*/hooks/*
• PUT: /api/v4/projects/*/hooks/*/custom_headers/*
• PUT: /api/v4/projects/*/hooks/*/url_variables/*
• PUT: /api/v4/projects/*/invitations/*
• PUT: /api/v4/projects/*/labels
• PUT: /api/v4/projects/*/labels/promote
• PUT: /api/v4/projects/*/merge_request_approval_setting
• PUT: /api/v4/projects/*/merge_requests/*/approval_rules/*
• PUT: /api/v4/projects/*/mirror/pull
• PUT: /api/v4/projects/*/notification_settings
• PUT: /api/v4/projects/*/pages/domains/*
• PUT: /api/v4/projects/*/pages/domains/*/verify
• PUT: /api/v4/projects/*/protected_environments/*
• PUT: /api/v4/projects/*/push_rule
• PUT: /api/v4/projects/*/releases/*
• PUT: /api/v4/projects/*/releases/*/assets/links/*
• PUT: /api/v4/projects/*/repository/files/*
• PUT: /api/v4/projects/*/repository/submodules/*
• PUT: /api/v4/projects/*/resource_groups/*
• PUT: /api/v4/projects/*/security_settings
• PUT: /api/v4/projects/*/triggers/*
• PUT: /api/v4/projects/*/variables/*
• PUT: /api/v4/projects/*/vulnerabilities/*/notes/*
• PUT: /api/v4/projects/*/wikis/*
• PUT: /api/v4/snippets/*
• PUT: /api/v4/user/avatar
• PUT: /api/v4/user/preferences

Other Calls

Non-HTTP queries or HTTP calls made through a third-party app (e.g., Python package). No other calls for this analyzer.

Revoker

Auth Credentials

Valid credentials needed to authenticate the request. No extra credentials needed for this revoker.

HTTP Calls

List of calls performed by the revoker.

• DELETE: /api/v4/personal_access_tokens/self

Revocation Mode

Revocation is synchronous.