Secrets found on other branches than default shown in vulnerability report even if allowlisted
Summary
-
Secrets found in a Git repository on other branches than default with
SECRET_DETECTION_HISTORIC_SCAN
set totrue
and the template Jobs/Secret-Detection.gitlab-ci.yml are introduced to the Vulnerability report in conflict with what we state in the docs:The Vulnerability Report provides information about vulnerabilities from scans of the default branch.
-
Additional findings out of another branch than default in the Location:
.gitlab/extended-gitleaks-config.toml
in the[allowlist]
regex (for exampleregexes = ['''glpat-1234567890abcdefghij''',]
) are shown as findings, when this configuration is not present in the default branch.
Pipeline Security Tab after Historic Scan, findings of all branches shown:
Vulnerability report after Historic Scan, shows 2 findings which do not exist on the main branches, but on feature branches:
Steps to reproduce
- Fork project [https://gitlab.com/universalamateur1/Universal-Security/demo-secret-detection-test-all].
- Merge branch 2-adding-the-gitlab-gitlab-ci-yml-file into main and view the resulting pipeline as well as the vulnerability report after.
Example Project
[https://gitlab.com/universalamateur1/Universal-Security/demo-secret-detection-test-all]
What is the current bug behavior?
Secrets found in other branches, even if on those branches a gitleaks config exists, which would put those Secrets on an allow list and additional those pattern in the config allowlist, are found and added to the vulnerability report of the main brnach.
What is the expected correct behavior?
- All Secrets found of all branches are shown in the security tab of the pipeline but only those present on the main branch will be shown in the Vulnerability report.
- No Secret found on other branches in the
.gitlab/extended-gitleaks-config.toml
will be shown as vuln, but directly as a false positive. - In vuln findings in the security tab of a pipeline the branch where this has been found is shown.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com