Post-process leaked credentials on all branches, not just the default branch
What
We have resolved the race-condition in this issue. This solution provides a workable solution for token revocation, but ties the implementation to only the default branch.
While working on this MR, we got some suggestions related to using StoreFindingsMetadataService
for token revocation. We can look into these suggestions and figure out whether this addresses all the requirements that we need for token revocation
.
Implementation Plan
Utilize security_findings.finding_data
attribute instead of vulnerability_findings.raw_metadata
, the former should be present for all branches.
From a high level we will need to do the following:
- Update the
security_finding_data
JSON schema to includeraw_source_code_extract
- Update
Security::StoreFindingsService
to persistraw_source_code_extract
- Update
ScanSecurityReportSecretsWorker
to rely offsecurity_findings.finding_data['raw_source_code_extract']
in place ofvulnerability_findings
- Trigger
ScanSecurityReportSecretsWorker
for all pipelines, not only default
Edited by Lucas Charles