Secrets Detection - Not detect password in URL when files are not executable scripts
Summary
Secrets Detection should detect and report password in URL as outlined below when files are not executable scripts in the source code repository:
- Description: Historic Password in URL secret has been found in commit d61e10c602fe84b13adff2f1a6466c97cec2a32a.
- Identifiers: Gitleaks rule ID Password in URL
- Severity: Critical
- Scanner: Secret Detection
- Scanner Provider: Gitleaks
Example files that are not detected are: password.txt
Steps to reproduce
Add a password.txt
file or any file with .txt extension to the repository and with a line of code such as https://username:password@example.com/path/to/repo
where the password is referenced.
Example Project
What is the current bug behavior?
The password is not detected by the secrets detection scanner and subsequently when the pipeline run is finished, it is not reported and shown in the pipeline security tab nor in the MR secrets detection widget.
What is the expected correct behavior?
The password should be detected regardless the file extension by the secrets detection scanner and subsequently when the pipeline run is finished, it is reported and shown in the pipeline security tab and also in the MR secrets detection widget.
When clicking on the vulnerability, it should show the following with the file name and the line of code in the file, with actions to create issue or dismiss the vulnerability:
- Description: Historic Password in URL secret has been found in commit d61e10c602fe84b13adff2f1a6466c97cec2a32a.
- Identifiers: Gitleaks rule ID Password in URL
- Severity: Critical
- Scanner: Secret Detection
- Scanner Provider: Gitleaks
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com when I tested it. It would happen on installed Gitlab too.
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)