Update Gitleaks to v6.1.2 and add SECRET_DETECTION_COMMITS

Summary

An issue was raised on the gitleaks github page regarding the commit-to and commit-from options. Using these two options can lead to unintended commits being scanned and in the worst case, the entire repo's history could be scanned. A quick fix was put in to make scanning a range of commits deterministic by adding an option commits=<list of commits> and commits-file=<file of a list of commits>. Instead of having gitleaks git library (go-git) decide what commits to scan via git log, gitleaks scans ONLY the commits specified in commits-file and commits.

We need to update gitleaks to the most recent version v6.1.0 and add a SECRET_DETECTION_COMMITS variable to the secrets scanner so that gitleaks can accept a list of commits.

Implementation

• Update Gitleaks to v6.1.2 in the Secrets analyzer
• Add SECRET_DETECTION_COMMITS to scan a range of commits
• Add a downstream test for range of commits
• Update template Secret-Detection.gitlab.yml to use SECRET_DETECTION_COMMITS instead of SECRET_DETECTION_COMMIT_FROM/TO

Alternative Approach:

Disable the default secret-detection scan (which uses the problematic SECRET_DETECTION_COMMIT_FROM/TO options and use secret_detection_default_branch to match the same triggers as secret-sast. This would give us a little more breathing room and allow us to scope this issue for a future release.

Links / references

• https://github.com/zricethezav/gitleaks/releases/tag/v6.1.0
• https://github.com/zricethezav/gitleaks/issues/432