Secrets Analyzer Incorrectly Hides Valid Issues
Summary
GitLab Secrets analyzer (for the SAST scanner) incorrectly hides valid errors from its output. The TruffleHog adapter code has special logic in it to detect if URLs with passwords are using variables and string interpolation, as a way to reduce false positives. When a testing a file that contains a false positive and a true positive afterwords, the Secrets analyzer will hide the true positive from the output.
Steps to reproduce
- Create a file with the following contents:
DATABASE_URL=postgres://$POSTGRES_USER:$POSTGRES_PASSWORD@$CI_ENVIRONMENT_SLUG-postgres:1111/$POSTGRES_DB
OTHER_URL=postgres://secret_username:super_secret_password_mtst109238@dev-postgres:1111/dev-db
- Run the Secrets analyzer on the file
What is the current bug behavior?
No errors are reported.
What is the expected correct behavior?
The first line is allowed because it uses a variable, but the third line should cause an error to be returned.
Possible fixes
Not sure yet, I haven't really dug into the code for the Secrets analyzer. My best guess is that there is some code that reduces all errors found in a file to try and minimize the amount of similar issues from a single file (which seems like a bad idea), and then when the first error is found to be a false positive, the other errors are also being ignored.