SECRET_DETECTION_HISTORIC_SCAN broken behaviour
Summary
When SECRET_DETECTION_HISTORIC_SCAN
is set to "true"
, the analyzer seems to be trying to find files in the incorrect git reference.
Steps to reproduce
- Enable secret detection in a project's
.gitlab-ci.yml
--- include: - template: Secret-Detection.gitlab-ci.yml
- Commit a secret file; e.g.:
./private.gpg.key
- Push to run the scan. It should work as expected.
- Move the file; e.g.:
mkdir tests/fixtures; mv private.gpg.key tests/fixtures/
- Push to run the scan. Again, it should work.
- Enable
SECRET_DETECTION_HISTORIC_SCAN
secret_detection: variables: SECRET_DETECTION_HISTORIC_SCAN: "true"
- Push to run the scan. It will fail with:
&{0xc0000600c0} Couldn't open source file private.gpg.key: open /builds/<your-project>/private.gpg.key: no such file or directory Gitleaks analysis failed: open /builds/<your-project>/private.gpg.key: no such file or directory
Example Project
https://gitlab.com/thiagocsf-group/secrets-test/-/pipelines
- Secret in original location; job succeeds: https://gitlab.com/thiagocsf-group/secrets-test/-/jobs/604494937
- Secret moved; job fails: https://gitlab.com/thiagocsf-group/secrets-test/-/jobs/604495212
- History scan disabled; job succeeds: https://gitlab.com/thiagocsf-group/secrets-test/-/jobs/604498819
What is the current bug behavior?
The analyzer tries to open a file that doesn't exist.
What is the expected correct behavior?
The scanner only opens files existing in the ref currently checked-out.
Relevant logs and/or screenshots
Included above. Here's another example project: https://gitlab.com/thiagocsf/nexus3-cli/-/jobs/604493381
Output of checks
This bug happens on GitLab.com
Possible fixes
I think this is the line throwing the error: