Secret Detection fails to detect secret in merge request
Summary
Secret Detection fails to detect a simple secret in this merge request: gitlab-com/www-gitlab-com!100842 (closed)
The secret seems to not be detected because the list of commits to check (*_commits_list.txt
is empty).
Steps to reproduce
- Go to https://gitlab.com/gitlab-com/www-gitlab-com/
- Add a new secret
- Create a new merge request from this change
Example Project
gitlab-com/www-gitlab-com!100842 (closed) But https://gitlab.com/gitlab-com/gl-security/engineering-and-research/gib/-/pipelines/494212792/?reportType=SECRET_DETECTION with the same content is detecting correctly the secret.
What is the current bug behavior?
The analyzer doesn't receive a list of commits to analyze. The file is empty, and contains only 1 empty line, which makes me think, in correlation with the logs of https://gitlab.com/gitlab-com/www-gitlab-com/-/jobs/2213847692, that we follow this execution path:
Therefore, it means git log --pretty=format:"%H" ${CI_COMMIT_BEFORE_SHA}..${CI_COMMIT_SHA}
doesn't fail but outputs an empty string.
I wonder if this could be because www-gitlab-com is using a merge request pipelines workflow, vs a branch workflow in gib.
What is the expected correct behavior?
Secret is detected in gitlab-com/www-gitlab-com!100842 (closed)
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
PLEASE NOTE THAT WE USE A MODIFIED VERSION OF THE TEMPLATE: