Secret Detection should scan all commits on the current branch
Release notes
Secret-Detection checks all commits in the current branch for leaks instead of the last commit.
Problem to solve
The Secret-Detection checks by default only the last commit. So if there are previous commits which contain secrets the secret detection will not detect them. So for merge-requests without the squash-option the leaked secrets will move into the main-branch.
The option SECRET_DETECTION_HISTORIC_SCAN
on the other hand allows you to scan all commits, but "can take a long time, especially for larger repositories with lengthy Git histories."
Proposal
The Secret-Detection should be able to scan all commits in a branch for leaks either by default (prefered, so that no leaks are gone undetected) or via option.
Workaround
# Secret-Detection for complete branch
secret_detection:
variables:
SECRET_DETECTION_LOG_OPTIONS: origin/${CI_DEFAULT_BRANCH}..HEAD # Check commits to default branch, e.g. main
before_script:
- git fetch origin ${CI_DEFAULT_BRANCH} # Needed for SECRET_DETECTION_LOG_OPTIONS
Will only check up to 50 commits, can be increased by setting GIT_DEPTH
in variables
to a higher value.
Drawback: Will check commits up to the default branch, not to the parent branch. So for example for a branch B
of a branch A
of main
the check within branch B
will not only check commits of branch B
, but also check commits of branch A
(up to GIT_DEPTH
commits).