Secret Detection Cleanup

Summary

The Secret Detection(SD) analyzer wraps around gitleaks and converts the output of a gitleaks report to a Gitlab secret-detection report. The SD analyzer is like a SAST analyzer in this way. Unlike SAST analyzers, the SD analyzer has determine what commits to scan. We determine what commits to scan based on the rules in two different job descriptions in the SD vendored template. There is secret_detection_default_branch, and secret_detection. Having two jobs defined, and a number of SD-specific environment variables adds some unnecessary complexity downstream in the analyzer.

Another way the SD analyzer differs from the SAST analyzers is the fact that it does not follow the SAST analyzer template (implementing analyze, convert, and using command.run). Instead the SD analyzer implements functions that were most likely relics of having to support two scanners (gitleaks and trufflehog). We should update the SD analyzer to follow the SAST template as this would make the analyzer more familiar for Secure developers and less intimating for community members.

Improvements

Reduced maintenance, and a less intimidating code base for community members who want to contribute

Tasks

• Update Secret Detection Job (%13.10)
• Bump Gitleaks to v7.2.0 (%13.9)
• Refactor the Secret Detection analyzer to use the SAST analyzer template (%13.9)
• Update documentation and record a new video showcasing the new job (from the first task)
• Update Secret Detection Test projects to use FREEZE branches(%13.9)