Document user workflows for Secret Detection

Problem to solve

We would like to document the user workflows our group is responsible for. By documenting these workflows, we’ll be able to identify any gaps in test coverage and work with the Test Engineering Team in order to get automated testing set up to cover those gaps. In addition to this, I see this contributing to our efficiency by giving our support engineers a place to reference for how our workflows are expected to work, therefore reducing the number of requests for help we get.

Proposal

We should document all customer-facing workflows that groupsecret detection is responsible for. Then collaborate with Test Engineering Team to ensure there is an E2E test set up for each workflow/scenario, or come up with a plan to address the gaps.

How we measure success

• Identify all customer facing workflows/journeys
• E2E tests exist for all workflows
• Decide on how we want to capture this data (standard format, spreadsheet, etc.)
• Create a repository of example projects that we can use for manually testing these workflows when necessary
• Document a process for ensuring E2E tests are created for any new workflow/feature we create.

Known workflows (WIP)

The scenarios listed below are what we used to test updating the latest CI/CD Template to stable in [Spike] Determine if latest secret detection CI... (#509772 - closed) • Vishwa Bhat • 17.9 • On track. Workflow diagram forthcoming.

Scenario 1: The latest CI/CD template is chosen for the Scan Execution Policy

• When .gitlab-ci.yml file is NOT present in the project (SEP internally creates one but won't be visible in the project)
  • A branch pipeline is created for every commit to a branch. However, when an MR is created for that branch, neither the MR pipeline nor the Branch pipeline is triggered. This behavior causes MR to be mergeable effectively bypassing SEP.
  • However, when using the stable SD CI template, a branch pipeline is created for every commit regardless of whether an MR is created for that branch. Note that the MR security widget shows only the latest branch pipeline result due to the same situation present for other scenarios.
• When .gitlab-ci.yml file is already present in the project
  • A branch pipeline is created for every commit to a branch. When an MR is created for that branch, the MR pipeline is triggered.
  • The vulnerability Report and MR security widget behave as expected for all the test scenarios followed when using latest template without SEP.
• Sample projects used for testing: Policy Project | Test Project

Conclusion: When .gitlab-ci.yml file is already present in the project, all the test scenarios worked as expected . However, when .gitlab-ci.yml file is NOT present in the project, the MR pipeline is NOT created when the policy is created with the latest SD template . I didn't dig into this further as it was not in the scope of the spike, I could look at it after completing this spike task.

Scenario 2: Using latest CI/CD template for a new project

• Scenarios tested:
  • Introduce a secret in a commit before creating MR to trigger the Branch pipeline. Verify if the analyzer detects the secret in the vulnerability report
  • Introduce a secret in a commit in a new branch and then Create MR. Verify if the MR widget shows the existing secret finding that was introduced before creating MR
  • Introduce a secret in a commit after creating MR to trigger the MR pipeline. Verify if the analyzer detects the secret and the MR widget shows the secret finding
  • Introduce a secret in the middle of the commit chain in the source branch after creating MR. Verify if the analyzer detects the secret and the MR widget shows the secret finding
• Sample project used for testing: link

Conclusion: For a customer who is starting a new project without Scan Execution Policies or ADO, the latest template change works as expected for the above test scenarios

Note: In case you have any scenario in mind that I missed to consider, feel free to add it as a comment under this post. I'll run the test in that scenario and post the results.

Scenario 3: Migrating from existing stable template to latest template (without SEP/ADO)

• Currently, the stable template isn't configured to run the SD analyzer in MR pipelines. Due to the missing MR pipeline, the MR security widget ends up showing the source branch's latest branch pipeline results in the widget. This confused some customers thinking the secret findings detected for the initial commit later "disappeared" after making subsequent secretless commits in the MR widget.
• After switching to the latest template:
  • For a new branch, every commit pushed resulted in triggering a Branch pipeline. If a commit contained a secret, the analyzer included the secret finding in the pipeline's vulnerability report.
  • When an MR is created for a branch, for every commit pushed to the source branch, an MR pipeline is triggered instead of a Branch pipeline. The analyzer ran the scan on all the commits of the source branch instead of choosing only the latest commit (as it happened for the stable template). This resulted in including all the secret findings detected across the commits in the MR pipeline's vulnerability report and thereby in the MR security widget too.
• Sample project used for testing: link

Conclusion: For an existing customer who is not using Scan Execution Policies or ADO, moving the latest template changes to stable template works as expected

Scenario 4 - AutoDevOps (ADO)

• ADO CI/CD Template link for reference.
• ADO doesn't support the MR pipeline so it refers to stable SD template. Needless to say, changing the SD template to latest wouldn't make any difference.
• MR Security widget considers only the latest commit's branch pipeline results instead of all the commits in the source branch. This leads to showing secret findings in the widget only if the latest commit has any secret committed in it.
• Based on the proposal suggested in MR pipeline support in the Sec templates issue, we'll likely drop the support for MR pipelines in ADO due to implementation efforts. As per the timeline, this decision should be made soon.

Conclusion: We might not provide MR pipeline support for Secret Detection in the projects using Auto DevOps (Decision pending).

changed milestone to %16.10

assigned to @amarpatel

added Category:Secret Detection devopssecure groupstatic analysis maintenancetest-gap sectionsec typemaintenance labels

changed the description

added to epic &12820 (closed)

mentioned in epic &12820 (closed)

marked this issue as related to #434986 (closed)

@eurie Can you drive defining how we should capture this data, and what information should be included that would make testing the workflows manually in the Cells 1.0 POC environment easier?

assigned to @eurie

FYI @twoodham @hyan3 I've opened up this issue to document our Secret Detection workflows. Once we've worked out a standard/format for capturing that data, you could use the same approach to do the same for SAST/IaC. Let me know if you have any questions or feedback on this!

changed due date to February 23, 2024

Format brainstorming

• What format should we capture these customer workflows in?
• What additional info for each workflow should we document in order to make testing in the POC environment easier?

I found a few examples that might give us some inspiration on how we could capture this data:

• groupauthentication's spreadsheet
• Example from the Cells Handbook page

I like the tabular design of the above spreadsheet. Linking to the relevant documentation for each workflow would be useful.

I've created a proposed document here which I also linked in lower comments.

I added columns to indicate whether the workflow has been tested on the POC as well as whether it works on Cell 1 and/or Cell 2.

Going through these I'm thinking of them more like User stories and that's helped me come up with more.

Customer Workflows

@eurie @serenafang @ahmed.hemdan @rossfuhrman @vbhat161 @djadmin During one of our recent weekly syncs (internal only), we discussed brainstorming and capturing the different Secret Detection workflows that we need to test in the Cells 1.0 PoC environment. Can you please take some time to brainstorm and list out any workflows that you think would be beneficial to test out? We'll also use this list in the future to identify any gaps in our end to end testing, and create tests for those that are missing (OKR for context).

CC @cmutua @willmeek

I'll start with a few off the top of my head:

• Enabling Secret Detection
• Automatically revoking a glpat token and confirm email was sent
• full history scan on a repo

• Using a FIPS-enabled image
• Remote configuration - Using a custom CA

• Merge request pipelines

• MR Widget displays security findings correctly
• Partners are notified when a secret is detected

I'm going to capture these, for the time being, in this doc

@serenafang As we discussed in our 1:1, do you mind driving this effort while @eurie is on PTO? The primary focus of this ask will be identifying all the relevant workflows that we should test. Let me know if you have any questions!

assigned to @serenafang

added Category:SAST label

changed milestone to %16.11

added missed:16.10 label

changed milestone to %17.0

added missed:16.11 label

mentioned in issue #434986 (closed)

changed milestone to %17.1

added missed:17.0 label

changed milestone to %17.2

added missed:17.1 label

added groupsecret detection label and removed Category:SAST groupstatic analysis labels

changed milestone to %17.3

added missed:17.2 label

changed milestone to %17.4

added missed:17.3 label

changed milestone to %17.5

added missed:17.4 label

changed milestone to %17.6

added missed:17.5 label

changed milestone to %17.7

added missed:17.6 label

changed milestone to %17.8

added missed:17.7 label

changed milestone to %17.9

added missed:17.8 label

closed

changed the description

@abellucci I'm reopening this but reframing it so we can address our group's test gaps in E2E testing our user workflows.

FYI @willmeek - I wanted to put this on your radar and get your feedback on the proposal. If it's easier, I'd be happy to set up a coffee chat to discuss what I had in mind! Let me know what you think.

@amarpatel - Thanks for creating this issue. I've added a section for Known Workflows. It's a work in progress based off of the work @vbhat161 did on [Spike] Determine if latest secret detection CI... (#509772 - closed). Vishwa is also finalizing a visual flow diagram of the workflows. Once we have that I will work to finalize this section. (Thank you Vishwa for capturing these workflows!!!)

reopened

removed from epic &12820 (closed)

changed milestone to %Backlog

removed missed:16.10 label

removed missed:16.11 label

removed missed:17.0 label

removed missed:17.1 label

removed missed:17.2 label

removed missed:17.3 label

removed missed:17.4 label

removed missed:17.5 label

removed missed:17.6 label

removed missed:17.7 label

removed missed:17.8 label

added workflowplanning breakdown label

removed due date February 23, 2024

unassigned @eurie and @serenafang

changed the description

@amarpatel @abellucci I captured all the possible SD workflows (to my understanding) on a mind map. Feel free to comment here if I missed any particular scenario.

Secret Detection Workflows

All the possible scenarios where one or more secrets could be detected within a source repository.

Click to expand mermaid diagram for Secret Detection Workflows

flowchart LR
    SW[Secret Detection Workflows]
    
    %% Create New Branch Scenario
    CNB[Create New Branch]
    S1[Introduce a secret in the commit]
    BP1[Triggers Branch Pipeline]
    OB1[Observation: A secret finding in the Security Report]
    MR1[Create Merge Request]
    MP1[Triggers MR Pipeline]
    OM1[Observation: A secret finding shown in both MR Security Widget & Security Report]
    AS1[Introduce another secret to the branch]
    MP2[Triggers MR Pipeline]
    OM2[Observation: Two secret findings shown in both MR Security Widget & Security Report]
    NC1[Introduce commits without secrets]
    MP3[Triggers MR Pipeline]
    OM3[Observation: Initial secret finding still shown in both MR Security Widget & Security Report]
    
    SW --> CNB
    CNB --> S1
    S1 --> BP1
    BP1 --> OB1
    S1 --> MR1
    MR1 --> MP1
    MP1 --> OM1
    MR1 --> AS1
    AS1 --> MP2
    MP2 --> OM2
    MR1 --> NC1
    NC1 --> MP3
    MP3 --> OM3
    
    %% Existing Branch without Secrets
    EBW[Existing Branch w/o existing secrets]
    S2[Introduce first secret in commit]
    BP2[Triggers Branch Pipeline]
    OB2[Observation: A secret finding in the Security Report]
    MR2[Create Merge Request]
    MP4[Triggers MR Pipeline]
    OM4[Observation: A secret finding shown in both MR Security Widget & Security Report]
    AS2[Introduce another secret to the branch]
    MP5[Triggers MR Pipeline]
    OM5[Observation: Two secret findings shown in both MR Security Widget & Security Report]
    NC2[Introduce commits without secrets]
    MP6[Triggers MR Pipeline]
    OM6[Observation: Initial secret finding still shown in both MR Security Widget & Security Report]
    
    SW --> EBW
    EBW --> S2
    S2 --> BP2
    BP2 --> OB2
    S2 --> MR2
    MR2 --> MP4
    MP4 --> OM4
    MR2 --> AS2
    AS2 --> MP5
    MP5 --> OM5
    MR2 --> NC2
    NC2 --> MP6
    MP6 --> OM6
    
    %% Existing Branch with Secrets
    EBS[Existing Branch w/ existing secrets]
    S3[Introduce a secret in commit]
    BP3[Triggers Branch Pipeline]
    OB3[Observation: New & existing secret findings in Security Report]
    MR3[Create Merge Request]
    MP7[Triggers MR Pipeline]
    OM7[Observation: New & existing secret findings in MR Security Widget & Security Report]
    AS3[Introduce another secret to branch]
    MP8[Triggers MR Pipeline]
    OM8[Observation: Two new secret findings & existing findings in MR Security Widget & Security Report]
    NC3[Introduce commits without secrets]
    MP9[Triggers MR Pipeline]
    OM9[Observation: Initial secret finding still shown in both MR Security Widget & Security Report]
    
    SW --> EBS
    EBS --> S3
    S3 --> BP3
    BP3 --> OB3
    S3 --> MR3
    MR3 --> MP7
    MP7 --> OM7
    MR3 --> AS3
    AS3 --> MP8
    MP8 --> OM8
    MR3 --> NC3
    NC3 --> MP9
    MP9 --> OM9

    %% Styling
    class OB1,OB2,OB3,OM1,OM2,OM3,OM4,OM5,OM6,OM7,OM8,OM9 observation

Feature Workflows

All the possible workflows from the SD analyzer's feature-offering viewpoint.

Click to expand mermaid diagram for Feature Workflow

flowchart LR
    FW[Feature Workflow]
    
    %% Scan Types
    ST[Scan Types]
    HS[Historic Scan]
    LCS[Latest Commit Scan]
    GRS[Git Range Commit Scan]
    SS[Snapshot Scan no git reference]
    
    FW --> ST
    ST --> HS
    ST --> LCS
    ST --> GRS
    ST --> SS
    
    %% Rulesets
    RS[Rulesets]
    FW --> RS
    
    %% Using Default Ruleset
    DR[Using Default Ruleset]
    RS --> DR
    
    %% Extending Default Ruleset
    EDR[Extending Default Ruleset]
    LF1[via Local File]
    RF1[via Remote Repository file]
    
    RS --> EDR
    EDR --> LF1
    EDR --> RF1
    
    %% Override Default Ruleset
    ODR[Override Default Ruleset]
    SRC[Sources]
    LF2[Local File]
    RF2[Remote Repository file]
    
    AA[Allowed Actions]
    DER[Disable Existing Rule]
    OER[Override Existing Rule]
    
    RS --> ODR
    ODR --> SRC
    SRC --> LF2
    SRC --> RF2
    ODR --> AA
    AA --> DER
    AA --> OER
    
    %% Replace Default Ruleset
    RDR[Replace Default Ruleset]
    RGU[Remote Git repository URL]
    PR[Public Repository]
    PRV[Private Repository access via Username and Password]
    LF3[Local File]
    IP[Inline Passthrough]
    RU[Remote URL]
    
    RS --> RDR
    RDR --> RGU
    RGU --> PR
    RGU --> PRV
    RDR --> LF3
    RDR --> IP
    RDR --> RU
    
    %% Allowlist
    AL[Allowlist]
    RP[Rule Patterns]
    FP[File Paths]
    IA[Inline via #gitleaks:allow]
    
    RS --> AL
    AL --> RP
    AL --> FP
    AL --> IA
    
    %% Styling
    class ST,RS,EDR,ODR,RDR,AL category

End-to-End Secret Detection Analyzer Paths

This contains the cumulative paths of every combination of Detection workflow + Feature workflow and the trigger source for the Secret analyzer.

Click to expand mermaid diagram for E2E Secret Detection Analyzer Paths

flowchart LR
    A[E2E Secret Detection Analyzer Paths]
    
    B[Using Scan Execution Policies]
    C[Using in GitLab CI/CD]
    D[Using AutoDevOps]
    
    A --> B
    A --> C
    A --> D
    
    B1[No gitlab-ci.yml template]
    B2[gitlab-ci.yml template present]
    B --> B1
    B --> B2
    
    B1A[On-demand trigger]
    B1B[Scheduled]
    B1 --> B1A
    B1 --> B1B
    
    B1A1[Scenarios + Feature Workflow combination]
    B1A --> B1A1
    
    B1B1[First schedule run]
    B1B2[Second schedule or later]
    B1B --> B1B1
    B1B --> B1B2
    
    B1B1A[Runs Historic Secret Detection Scan]
    B1B1 --> B1B1A
    B1B1A1[Observation: Findings for all secrets in configured branch]
    B1B1A --> B1B1A1
    
    B1B2A[Runs Secret Detection on latest commit]
    B1B2 --> B1B2A
    B1B2A1[Observation: Findings for all secrets in configured branch]
    B1B2A --> B1B2A1
    
    B2A[On-demand trigger]
    B2B[Scheduled]
    B2 --> B2A
    B2 --> B2B
    
    B2A1[Scenarios + Feature Workflow combination]
    B2A --> B2A1
    
    B2B1[First schedule run]
    B2B2[Second schedule or later]
    B2B --> B2B1
    B2B --> B2B2
    
    B2B1A[Runs Historic Secret Detection Scan]
    B2B1 --> B2B1A
    B2B1A1[Observation: Findings for all secrets in configured branch]
    B2B1A --> B2B1A1
    
    B2B2A[Runs Secret Detection on latest commit]
    B2B2 --> B2B2A
    B2B2A1[Observation: Findings for all secrets in configured branch]
    B2B2A --> B2B2A1
    
    C1[Stable CI/CD Template]
    C2[Latest CI/CD Template]
    C --> C1
    C --> C2
    
    C1A[Run Secret Detection + Feature Workflow combination]
    C2A[Run Secret Detection + Feature Workflow combination]
    C1 --> C1A
    C2 --> C2A
    
    D1[via Settings in GitLab UI]
    D2[via AutoDevOps CI/CD Template]
    D --> D1
    D --> D2
    
    D1A[Run Secret Detection + Feature Workflow combination]
    D2A[Run Secret Detection + Feature Workflow combination]
    D1 --> D1A
    D2 --> D2A

I've also attached source file of the mindmap for your reference.

Click to expand overall mindmap image

SD Plain Text.txt

SD Mindnode Source.mindnode

mentioned in merge request !179652

mentioned in issue #509772 (closed)

mentioned in issue #517690