Secret Detection Deprecation: Certain configuration variables

Deprecation Summary

To make it simpler and more reliable to customize GitLab Secret Detection, we're deprecating some of the variables that you could previously set in your CI/CD configuration.

The following variables currently allow you to customize the options for historical scanning, but interact poorly with the GitLab-managed CI/CD template and are now deprecated:

• SECRET_DETECTION_COMMIT_FROM
• SECRET_DETECTION_COMMIT_TO
• SECRET_DETECTION_COMMITS
• SECRET_DETECTION_COMMITS_FILE

The SECRET_DETECTION_ENTROPY_LEVEL previously allowed you to configure rules that only considered the entropy level of strings in your codebase, and is now deprecated. This type of entropy-only rule created an unacceptable number of incorrect results (false positives) and is no longer supported.

In GitLab 15.0, we'll update the Secret Detection analyzer to ignore these deprecated options. You'll still be able to configure historical scanning of your commit history by setting the SECRET_DETECTION_HISTORIC_SCAN CI/CD variable.

Breaking Change

There is no replacement for the removed variables. Please comment on this issue if you have a use case for them that isn't handled by other Secret Detection options.

Affected Topology

All deployment types (~SaaS and self-managed) are affected.

Affected Tier

All tiers (GitLab Free, GitLab Premium, GitLab Ultimate) are affected.

Checklist

• mention your stage's stable counterparts on this issue. For example, Customer Support, Customer Success (Technical Account Manager), Product Marketing Manager.

  • To see who the stable counterparts are for a product team visit product categories
    • If there is no stable counterpart listed for Sales/CS please mention @timtams
    • If there is no stable counterpart listed for Support please mention @gitlab-com/support/managers
    • If there is no stable counterpart listed for Marketing please mention @cfoster3

• mention your GPM so that they are aware of planned deprecations. The goal is to have reviews happen at least two releases before the final removal of the feature or introduction of a breaking change.

• Customer Success stable counterparts: @bmiller1, @brianwald, @chloe

• Support stable counterpart: @greg

• Marketing stable counterpart: @cblake2000

• Director, Product Management: @hbenson

Note: Required and optional reviewers were already @-mentioned on the Deprecation MR (!80474 (merged)).

Deprecation Milestone

%14.8

Planned Removal Milestone

%15.0

Links

#350660 (closed) #350573 (closed)

Deprecation Announcement:

• Documentation link: https://docs.gitlab.com/ee/update/deprecations#secret-detection-configuration-variables-deprecated
• MR: Deprecation: Secret Detection config variables (!80474 - merged)