Disable auto-resolving of Secret Detection findings introduced in Merge Requests
Summary
The current implementation of Secret Detection auto-resolves findings (marking them as fixed) for every scan that is ran by diffing between pipeline executions. With the introduction of historic scanning and with the future feature of MR scanning we do not want to auto resolve as this would effectively erase secret vulnerabilities that are still present in the git history.
Let's use the example that @twoodham laid out to demonstrate why auto-resolving is a problem:
- Large project turns on secret detection later in its life.
- Historic secrets scan kicked off, detecting many leaked secrets.
- User picks one leaked secret to resolve and pushes up an MR for just that artifact.
- MR for one leaked secret is merged, properly resolving that one item.
- Due to absence of other secrets being reported by new CI job, they're also auto-resolved...even though they still exist in the repository's history.
Related Issues
https://gitlab.com/gitlab-org/gitlab/-/issues/36860
Improvements
Removing auto-resolving of secret vulnerabilities allows us to move forward on enabling accurate secret detection for MRs and further iterate on historic secret scanning.
Risks
Added tedium for users -- they will have to manually resolve secret vulnerabilities.
Involved components
TODO