SECRET_DETECTION_HISTORIC_SCAN variable in Scan Execution Policy does not get applied to the secret_detection job
Summary
The SECRET_DETECTION_HISTORIC_SCAN
variable is set to true
in the scan execution policy; but it shows as false
when the job runs.
Steps to reproduce
-
Create a scan execution policy project.
-
Add
.gitlab/security-policies/policy.yml
with content:--- scan_execution_policy: - name: Enforce DS in some branches description: Test for Santiago enabled: true rules: - type: pipeline branches: - '*.*.*' - main - master - secrets actions: - scan: secret_detection variables: SECRET_DETECTION_HISTORIC_SCAN: 'true' SECRET_DETECTION_EXCLUDED_PATHS: "build"
-
Create a new project and select the policy project as the one from step 2. Add a
.gitlab-ci.yml
with a before_script to export all environment variables:before_script: - export
-
Create a new pipeline on one of the branches defined in the policy yaml file (main, master or secrets).
-
When the job runs
SECRET_DETECTION_EXCLUDED_PATHS
show correct value ofbuild
; howeverSECRET_DETECTION_HISTORIC_SCAN
value still showsfalse
.
Example Project
Scan execution policy project: https://gitlab.com/gitlab-gold/emunn-test/scan-tests/scan-exec-policy-1 Test project: https://gitlab.com/gitlab-gold/emunn-test/scan-tests/gogo/-/tree/secrets
What is the current bug behavior?
SECRET_DETECTION_HISTORIC_SCAN
value shows false
although it is set to true
in the scan policy.
What is the expected correct behavior?
SECRET_DETECTION_HISTORIC_SCAN
value shows whatever it was set in the scan policy, which in this case should be true
.
Relevant logs and/or screenshots
https://gitlab.com/gitlab-gold/emunn-test/scan-tests/gogo/-/jobs/3747258079
Output of checks
This bug happens on GitLab.com /label reproduced on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)