Skip to content

Secret detection scans full repository in feature branch when there are no changes from main branch

Summary

There is an error in the implementation logic of secret detection within feature branches. Currently, we see following behaviour:

IF branch != default_branch:

  IF commits_since_default_branch > 0:

    #Run tests on commits since default branch

  ELSE IF commits_since_default_branch == 0:

    #Run test on full repository

If there are no commits since the default branch, no commits should be tested if we follow the logic like it is. A better approach could be to always scan the whole repository like the master branch is being tested.

It is not documented either that there is a difference in testing on the main branch vs. the feature branch.

Steps to reproduce

  1. Set up secret detection and enable 'SECURE_LOG_LEVEL' = trace
  2. Set up a feature branch
  3. Without making any changes in the feature branch, run the pipeline and observe that the analyzer is run with the '--commits' flag, without any arguments. This will scan your whole repository (because of: https://github.com/zricethezav/gitleaks/blob/master/scan/scan.go#L118 )
  4. Make a change in the feature branch, run the pipeline and observe that the analyzer is run with the '-commits ' flag, which causes that one commit to be scanned

What is the current bug behavior?

In the feature branch pipeline, the following is happening:

cf. https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml#L33

image

Result: the 'SECRET_DETECTION_COMMIT_FILE' variable will always be populated with a filename, if the file is empty or not.

In the Analyzer code:

The analyzer will check if the 'SECRET_DETECTION_COMMIT_FILE' is populated (which always is) and will then use the commits in that file (which can be empty) to populate the --commits flag in gitleaks.

image

In gitleaks:

If the --commits flag is empty, start a repository scan. https://github.com/zricethezav/gitleaks/blob/master/scan/scan.go#L118

image

What is the expected correct behavior?

Either always run a repository scan instead of a commit scan in feature branches, or don't scan any commit if there are no changes between feature and main branch.

Output of checks

Results of GitLab environment info

GitLab secrets analyzer v3.20.0 GitLab Enterprise Edition 13.11.3-ee

Possible fixes

https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml#L43 --> Check if there are commits in that file or not. --> Or remove the separation of logic between main branch and feature branches altogether, for consistency reasons

Edited by Mathijs Rogiers