Skip to content

Disable auto-resolving of Secret Detection findings introduced in Merge Requests

Summary

The current implementation of Secret Detection auto-resolves findings (marking them as fixed) for every scan that is ran by diffing between pipeline executions. With the introduction of historic scanning and with the future feature of MR scanning we do not want to auto resolve as this would effectively erase secret vulnerabilities that are still present in the git history.

Let's use the example that @twoodham laid out to demonstrate why auto-resolving is a problem:

  1. Large project turns on secret detection later in its life.
  2. Historic secrets scan kicked off, detecting many leaked secrets.
  3. User picks one leaked secret to resolve and pushes up an MR for just that artifact.
  4. MR for one leaked secret is merged, properly resolving that one item.
  5. Due to absence of other secrets being reported by new CI job, they're also auto-resolved...even though they still exist in the repository's history.

Related Issues

https://gitlab.com/gitlab-org/gitlab/-/issues/36860

Improvements

Removing auto-resolving of secret vulnerabilities allows us to move forward on enabling accurate secret detection for MRs and further iterate on historic secret scanning.

Risks

Added tedium for users -- they will have to manually resolve secret vulnerabilities.

Involved components

TODO

Optional: Intended side effects

Optional: Missing test coverage

Edited by Lucas Charles