Support custom Secret Detection rules
Problem to solve
Secret Detection has default matching patterns that are used to detect passwords and keys.
Users need to customize patterns to fit their needs, or to define new rules based on their specific projects.
We should allow customization of matching patterns via variables/files that can be defined by users.
- Devon (DevOps Engineer)
- Sam (Security Analyst)
Since we use different tools, we should provide a generic way to do that where possible. Each analyzer can wrap the generic specification into a compatible one.
Introduce the ability to add new rules (or to disable existing ones) for Secret Detection.
This can be done using environment variables to tune the existing behavior (e.g. setting flags like we already have with
SAST_GITLEAKS_ENTROPY_LEVEL, or using a file with the custom rules.
Custom rules will be merged with the default set.
We need to test that custom rules are added and tested during the tool execution.
What does success look like, and how can we measure that?
Number of jobs or projects with custom rules enabled for Secret Detection