Shared remote configuration loader only loads SAST configuration, never Secret Detection
Summary
When attempting to specify a remote configuration for secret detection, the SAST ruleset loader does not load the .gitlab/secret-detection-ruleset.toml
file.
It does work to override/passthrough/disable rules with local secret-detection-ruleset.toml
.
Steps to reproduce
-
Create a remote configuration project, with directives to synthesize a custom configuration of Secret Detection
-
In the project, create a
.gitlab
directory -
in the
.gitlab
directory, create asecret-detection-ruleset.toml
, populated like so[secrets] description = 'secrets custom rules configuration' [[secrets.passthrough]] type = "file" target = "gitleaks.toml" value = "ext-config.toml"
-
In the parent directory, create a
ext-config.toml
with the following, to allow a test PATglpat-0123456789abcdef7890
:# extended-gitleaks-config.toml title = "extension of gitlab's default gitleaks config" [extend] # Extends default packaged path path = "/gitleaks.toml" [allowlist] description = "allow list of test tokens to ignore in detection" regexTarget = "match" regexes = [ '''glpat-0123456789abcdef7890''', ]
-
-
Create a new project to use the remote configuration
-
In the new project, create a
.gitlab-ci.yml
file, containing an exposed test PAT secret,test
job and enabling SAST. SETSECRET_DETECTION_RULESET_GIT_REFERENCE
to the Git URL of the remote configuration, e.g.:stages: - test secrets: stage: test variables: secret: "glpat-0123456789abcdef7890" SECURE_LOG_LEVEL: debug SECRET_DETECTION_RULESET_GIT_REFERENCE: "$GITLAB_USER_NAME:$PAT@gitlab.com/gitlab-gold/mlockhart-support/429358-remote-config" #reference the remote project include: - template: Security/Secret-Detection.gitlab-ci.yml
Example Project
What is the current bug behavior?
The Secret Dection does not apply the extended remote configuration. It prints a debug message that it could not find the SAST configuration file:
[DEBU] [secrets] [2023-07-17T05:16:29Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/ruleset/v2@v2.0.2/ruleset.go:255] ▶ /tmp/glsastrulesetremoteref2447139002/.gitlab/sast-ruleset.toml not found, ruleset support will be disabled.
What is the expected correct behavior?
When using a remote configuration referenced by SECRET_DETECTION_RULESET_GIT_REFERENCE
, the correct .gitlab/secret-detection-ruleset.toml
should be loaded
Relevant logs and/or screenshots
Output of checks
(This occurs on GitLab.com)
Results of GitLab environment info
(This occurs on GitLab.com)
Results of GitLab application Check
(This occurs on GitLab.com)
Possible fixes
In the ruleset project, ruleset.go v2.0.3, L282-306, the PathSAST
is always joined (line 303):
Click to expand
// LoadRemote accepts a rulesetRef string and analyzer.
// rulesetRef must point to an accessible remote repository to be cloned and have its ruleset path evaluated.
// The remote repository must contain the default ruleset path with a valid {sast}-ruleset.toml file.
// A single analyzer rule will be returned if one is found.
func LoadRemote(rulesetRef string, analyzer string, logger GenericLogger) (*Config, error) {
if !customRulesetEnabled() {
return nil, &NotEnabledError{}
}
pt, err := ParseRulesetRef(rulesetRef)
if err != nil {
return nil, err
}
tmpDir, err := ioutil.TempDir("/tmp", "glsastrulesetremoteref")
if err != nil {
return nil, err
}
pt.Target = tmpDir
gitSource, err := cloneGit(*pt, logger)
if err != nil {
return nil, err
}
rulesetPath := filepath.Join(gitSource, PathSAST)
return buildConfig(rulesetPath, analyzer, gitSource)
}
rulesetPath := filepath.Join(gitSource, PathSAST) # ← This always joins `.gitlab/sast-ruleset.toml`, never `.gitlab/secret-detection-ruleset.toml`
This should handle the case for Secret-Detection rulesets as well (PathSecretDetection
), or else the path should be appened parsed out of ParseRulesetRef
in a generic fashion.