Perform secret detection on full history of the repository
Problem to solve
Secret Detection will check the latest version of the repo (or latest commit) as implemented in #6719 (closed).
Users may want to check secrets in the entire history of their repositories. Even if we run checks on each pipeline, there are cases where this is not enough (
ci skip, job disabled, etc).
Users may also want to check just the list of commits of a specific merge request, to ensure they are not introducing any secret with their changes.
- Delaney, Development Team Lead, https://design.gitlab.com/research/personas#persona-delaney
- Sasha, Software Developer, https://design.gitlab.com/research/personas#persona-sasha
- Sidney, Systems Administrator, https://design.gitlab.com/research/personas#persona-sidney
- Sam, Security Analyst, https://design.gitlab.com/research/personas#persona-sam
Allow users to set the secret detection mode via an environment variable.
We can consider three different values:
commit(default if not set): scan the current commit only
branch(useful in merge requests): scan the entire branch history, up to the
full(useful for regular testing on
master): scan the entire history for that branch
What does success look like, and how can we measure that?
Number of executions with this variable set.
What is the type of buyer?