SAST template missing propagation for SAST_GITLEAKS_ENTROPY_LEVEL ENV variable
Summary
Our SAST
template is currently missing ENV propagation support for our secrets analyzers entropy detection: SAST_GITLEAKS_ENTROPY_LEVEL
. Because of this, a user is unable to configure entropy detection unless calling the secrets
analyzer directly
Steps to reproduce
- Add high-entropy string to codebase; i.e.
Reu3eitiotaR1ucooyoopeo3eseeshahee8aquaPh0Iadohgh8gatoovie6phoobooLix7vae7ru5ooVez5vuaW6phe9ze7Ma4ao
- Add
SAST.gitlab-ci.yml
inclusion to.gitlab-ci.yml
- Run pipeline with variable:
SAST_GITLEAKS_ENTROPY_LEVEL
set to a low entropy threshold; i.e."1.0"
Example Project
What is the current bug behavior?
SAST_GITLEAKS_ENTROPY_LEVEL
Entropy variable is ignored when run through template
What is the expected correct behavior?
SAST_GITLEAKS_ENTROPY_LEVEL
should be respected when passed to sast job, allowing detection of high entropy strings
Output of checks
This bug happens on GitLab.com
Possible fixes
Add SAST_GITLEAKS_ENTROPY_LEVEL
to list of propagated variables: https://gitlab.com/gitlab-org/gitlab-ee/blob/v11.11.0-rc2-ee/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml#L33-45