COMP-264 WIP updating documentation for audit secret logging

123sarahj123 · 123sarahj123 · commit a74b02d5fff8 · 2024-03-14T16:37:20.000+13:00
- Extending audit_log.md to include secret audit events for GraphQL
- Extending secrets.md to describe the feature itself
diff --git a/pages/pipelines/audit_log.md b/pages/pipelines/audit_log.md
@@ -73,6 +73,11 @@ SCM_PIPELINE_SETTINGS_UPDATED
 SCM_SERVICE_CREATED
 SCM_SERVICE_DELETED
 SCM_SERVICE_UPDATED
+SECRET_CREATED
+SECRET_DELETED
+SECRET_QUERIED
+SECRET_READ
+SECRET_UPDATED
 SSO_PROVIDER_CREATED
 SSO_PROVIDER_DELETED
 SSO_PROVIDER_DISABLED
diff --git a/pages/pipelines/secrets.md b/pages/pipelines/secrets.md
@@ -162,3 +162,47 @@ steps:
         https://api.github.com/repos/my-org/my-app/deployments
 ```
 {: codeblock-file="pipeline.yml"}
+
+## Audit Logging for Secrets
+[Audit Log](/docs/pipelines/audit-log) also includes the transactions in which secrets are  accessed.
+
+>📘 Secret audit logging does not contain the value of the secret.
+
+
+This enables visibility into which secrets were accessed by whom and when. The following operations will be audited:
+* Creating a secret:
+  - **Who:**
+  - **What:**
+  - **Where:**
+  - **When:**
+* Deleting a secret:
+  - **Who:**
+  - **What:**
+  - **Where:**
+  - **When:**
+* Reading the value of a secret:
+  - **Who:**
+  - **What:**
+  - **Where:**
+  - **When:**
+* Querying a secret:
+  - **Who:**
+  - **What:**
+  - **Where:**
+  - **When:**
+* Updating the value of a secret:
+  - **Who:**
+  - **What:**
+  - **Where:**
+  - **When:**
+
+
+  The following GraphQL `Audit Event` types are available for secrets and you can find more details about them in the in the [GraphQL explorer](https://buildkite.com/docs/apis/graphql-api#getting-started).
+
+```
+SECRET_CREATED
+SECRET_DELETED
+SECRET_QUERIED
+SECRET_READ
+SECRET_UPDATED
+```
