Commit 48b02fe6 authored by Radu Birsan's avatar Radu Birsan Committed by Roshni Sarangadharan
Browse files

Added Secret Detection CVE Investigation and Resolution Process

parent e965b55d

content/handbook/engineering/development/sec/secure/secret-detection/_index.md

+34 −0
Original line number Diff line number Diff line
@@ -234,3 +234,37 @@ There are countless secret credential types exist across different companies tha 
* We release rules based on development milestones rather than a fixed schedule. Rules are bundled and released either when a milestone completes or when the task is complete, whichever happens first.



* Rule releases are done through a [dedicated MR](https://gitlab.com/gitlab-org/security-products/secret-detection/secret-detection-rules/-/merge_requests) containing all the new rules ready to be released.



### Secret Detection CVE Investigation and Resolution Process



#### Weekly CVE Review



On a weekly basis, review reported CVEs to investigate severity, applicability, and resolution status.



#### Access the CVE Dashboard



* Review the Vulnerability Report for projects maintained by Secret Detection to identify new and existing CVEs.

* Filter by severity (Critical → High → Medium → Low) and assign yourself to the CVE tracking issue.



#### Investigation Process



* Verify whether the CVE affects Secret Detection's dependencies or codebase.

* Determine exploitability and impact scope.

* Check the [Red Hat site](https://access.redhat.com/security/security-updates/cve) for the CVE to determine if a fix is available.



#### Resolution Actions



* If applicable, create a merge request to update dependencies or apply patches.

* If not applicable, document why (for example, fixed through prior dependency update) and mark as resolved.



#### Closure



* Verify the CVE is no longer found in Vulnerability Report after your patch.

* Close the tracking issue with a resolution summary.



#### Additional Notes



* Ensure you have no filters applied when you check the Vulnerability Report so you see all vulnerabilities.

* Use GitLab Duo to triage and identify vulnerable package locations.

* Automation can sometimes open an issue that was resolved previously. Always verify the current dependency version against the CVE fix version and confirm the CVE is still present in the Vulnerability Report.

  * If the CVE is not present and the vulnerability is connected to an older image, you can close the issue with a comment that explains why.