Security secret detection scan doesn't pick up remote ruleset
Summary
The documentation describes how a ruleset from a remote repository can be used to for secret detection scans. But remote rulesets seem to be ignored.
Steps to reproduce
- Create a public project
- Add a new file
.gitlab/secret-detection-ruleset.toml
with content:[secrets] [[secrets.ruleset]] disable = true [secrets.ruleset.identifier] type = "gitleaks_rule_id" value = "RSA private key"
- Add a new file
.gitlab-ci.yml
with content:include: template: Jobs/Secret-Detection.gitlab-ci.yml
- Create a new MR on the project that introduces a new file
privatekey
with content:-----BEGIN RSA PRIVATE KEY----- 123 -----END RSA PRIVATE KEY-----
- Wait for the pipeline to finish and check out the pipeline Security tab
- There should be no vulnerability because it got filtered out by the ruleset. This shows that a local rulest works.
- Create a new project.
- Add a new file
.gitlab-ci.yml
with content and replace{{PATH_TO_YOUR_RULESET_PROJECT}}
with the path to your ruleset project:include: template: Jobs/Secret-Detection.gitlab-ci.yml variables: SECRET_DETECTION_RULESET_GIT_REFERENCE: 'gitlab.com/{{PATH_TO_YOUR_RULESET_PROJECT}}'
- Create a new MR on the project that introduces a new file
privatekey
with content:-----BEGIN RSA PRIVATE KEY----- 123 -----END RSA PRIVATE KEY-----
- Wait for the pipeline to finish and check out the pipeline Security tab
- It shows a new vulnerability even though the remote ruleset file should filter it out.