Scan for secrets only on modified files
Problem to solve
Running a complete secret detection against a large repo like
gitlab-ce takes a huge amount of time. It is currently executed against the entire codebase, for each commit, even if you just update a single file.
This is necessary to ensure that no secrets are present in the
head of the branch. Even if you have this job set up for each commit, there could always be a chance something has been introduced in a previous commit with the
[skip ci] set, or any other similar case.
But if we want to speed up the pipeline, we can consider to run Secret Detection only on the files that have changed in the current commit. This will cover the most of the cases, and will enormously speed up the job.
We can always schedule a "complete" scan on the
master branch to ensure nothing is left when merging.
Run Secret Detection only on files that have changed in the current commit.
Drive this behavior with variables.
What does success look like, and how can we measure that?
Number of jobs doing this kind of scan.