Ability to include remote "custom ruleset" with git passthrough
Problem to solve
Currently, you can customize the default secret detection rules provided with GitLab. Customization allows replacing the default Secret Detection rules with rules that you define.
As per the docs at Custom rulesets:
Create a custom ruleset file named
secret-detection-ruleset.toml
in the.gitlab
directory. In thesecret-detection-ruleset.toml
file, do one of the following:
- Define a custom ruleset
- Provide the name of the file containing a custom ruleset
Unfortunately, it's not possible to define a path to a remote ruleset. Therefore it's hard to maintain the Secret Detection feature within the organization, as adding the new regex means opening multiple MRs across all the projects.
User experience goal
An option to have a "global" Secret Detection
ruleset for the whole organization, where the security team could easily maintain the list of custom rules for similar projects based on the current needs/policies.
-
Important: It should be possible to use a ruleset that requires authentication to access. See this comment for notes on replicating the
git
passthrough functionality which would support this. - The rules the in the global ruleset should extend the default configuration in our
gitleaks.toml
file.
Proposal
See this comment for the proposed approach forward.
Original Proposal
Add either a new variable:
secret_detection:
variables:
GITLEAKS_CONFIG: "https://ci-files.example.com/templates/security/config-gitleaks.toml"
or an option to include remote file in secret-detection-ruleset.toml
:
[secrets]
description = 'secrets custom rules configuration'
[[secrets.passthrough]]
type = "file"
target = "gitleaks.toml"
option = "remote" # Specify in the config is local or remote
value = "https://ci-files.example.com/templates/security/config-gitleaks.toml"
It would be much easier if the developers could use a custom ruleset, or include the remote one, which the security team will maintain.