Skip to content

Secret Detection fails to detect secret in merge request

Summary

Secret Detection fails to detect a simple secret in this merge request: gitlab-com/www-gitlab-com!100842 (closed) The secret seems to not be detected because the list of commits to check (*_commits_list.txt is empty).

Steps to reproduce

  1. Go to https://gitlab.com/gitlab-com/www-gitlab-com/
  2. Add a new secret
  3. Create a new merge request from this change

Example Project

gitlab-com/www-gitlab-com!100842 (closed) But https://gitlab.com/gitlab-com/gl-security/engineering-and-research/gib/-/pipelines/494212792/?reportType=SECRET_DETECTION with the same content is detecting correctly the secret.

What is the current bug behavior?

The analyzer doesn't receive a list of commits to analyze. The file is empty, and contains only 1 empty line, which makes me think, in correlation with the logs of https://gitlab.com/gitlab-com/www-gitlab-com/-/jobs/2213847692, that we follow this execution path:

lib_gitlab_ci_templates_Jobs_Secret-Detection_gitlab-ci_yml___34b41fed0a0bde61b353b2fe6e3ec2536c61756d___GitLab_org___GitLab___GitLab

Therefore, it means git log --pretty=format:"%H" ${CI_COMMIT_BEFORE_SHA}..${CI_COMMIT_SHA} doesn't fail but outputs an empty string. I wonder if this could be because www-gitlab-com is using a merge request pipelines workflow, vs a branch workflow in gib.

What is the expected correct behavior?

Secret is detected in gitlab-com/www-gitlab-com!100842 (closed)

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

PLEASE NOTE THAT WE USE A MODIFIED VERSION OF THE TEMPLATE:

!83037 (closed)

Edited by Philippe Lafoucrière