update secrets analyzer to ignore masked env variables within GitLab CI
Problem to solve
Per discussion the secrets analyzer currently triggers things like GITLAB_TOKEN in git push https://gitlab-bot:$GITLAB_TOKEN@gitlab.com/gitlab-org/gitlab-ui.git HEAD:$CI_COMMIT_REF_NAME &>/dev/null as a potential password. We should be able to recognize these masked variables as variables and not vulnerabilities
Intended users
Persona: Software developer Persona: Development Team Lead
Further details
Proposal
Update secrets analyzer to ignore variable false positives.
The rule getting tripped here is the password in url which is a trufflehog rule. We have to update the trufflehog command being shelled out to include an --exclude-patterns option.
Alternatively we could ignore the rule in the toIssues function.
Permissions and Security
No change to permissions
Documentation
Include notice within ~"secret detection" docs about this logic
Testing
Ensure $GITLAB_TOKEN is not recognize as a potential password
What does success look like, and how can we measure that?
Less false positives in ~"secret detection"