Commit 75cad43a authored by Craig Smith's avatar Craig Smith 💬 Committed by Ahmed Hemdan
Browse files

docs: Document optional SDS usage via ops flag for SPP

parent 8c704206

content/handbook/engineering/architecture/design-documents/secret_detection/_index.md

+3 −1
Original line number Diff line number Diff line
@@ -323,7 +323,9 @@ to focus on Git text blobs. 
The responsibility of the service will be limited to running Secret Detection scan on the given set of input blobs. More

details about the service are outlined in [ADR 004: Secret Detection Scanner Service](decisions/004_secret_detection_scanner_service).



The introduction of a dedicated service impacts the workflow for Secret Push Protection as follows:

The introduction of a dedicated service impacts the workflow for Secret Push Protection by providing a fallback to reduce load on the monolith controlled by the [`use_secret_detection_service` operational feature flag](https://docs.gitlab.com/administration/feature_flags/list/#eeonlyproduct). When enabled, the monolith routes scanning to [SDS deployed on Runway](https://gitlab.com/gitlab-org/security-products/secret-detection/secret-detection-service); when disabled, secret scanning happens in the SDS gem installed in the monolith. The flag is disabled by default. This flag allows operators to offload scanning to a dedicated service when monolith load becomes a concern.



The workflow for Secret Push Protection as follows:



```mermaid

sequenceDiagram

content/handbook/engineering/development/sec/secure/secret-detection/runbooks/secret-push-protection-troubleshooting.md

+27 −0
Original line number Diff line number Diff line
@@ -109,3 +109,30 @@ are both documented in the in-progress documentation MR. 
Secret Detection audit log events are documented [here](https://docs.gitlab.com/ee/user/compliance/audit_event_types.html#secret-detection).



For GitLab.com, all logged events can be viewed [here](https://log.gprd.gitlab.net/app/discover#/view/31afcbb2-28e9-466f-a6c3-486e869e1ee3?_g=()&_a=h@bd3f1e1), and logs of just blocked push events due to detected secrets can be viewed [here](https://log.gprd.gitlab.net/app/discover#/view/db7ba29d-d406-46df-8b43-e6d9c47fbed7).



## Using SDS to reduce monolith load



The Secret Detection Service (SDS) can be optionally enabled on GitLab.com to offload secret scanning from the monolith when load becomes a concern. This is controlled by the [`use_secret_detection_service` operational feature flag](https://docs.gitlab.com/administration/feature_flags/list/#eeonlyproduct).



### How it works



- **Flag disabled (default)**: Secret scanning happens in the SDS gem installed in the monolith

- **Flag enabled**: The monolith routes scanning to [SDS deployed on Runway](https://gitlab.com/gitlab-org/security-products/secret-detection/secret-detection-service)



### Enabling SDS



To enable SDS for secret push protection on GitLab.com, use ChatOps:



`/chatops run feature set use_secret_detection_service true`



### Disabling SDS



To disable SDS and return to using the gem installed in the monolith:



`/chatops run feature set use_secret_detection_service false`



### Checking the status



To check the current status of the flag:



`/chatops run feature get use_secret_detection_service`