Display success message if secret push protection found no secrets

Proposal

There was some feedback on internal dogfooding of Secret Push Protection:

Some early feedback on the feature. Once we enabled pre-receive SD, I was expecting to see some kind of log message while I was pushing commits. However, I couldn't see anything and that made me think if the feature is working in the first place. It would be nice if there is a logging message mentioning that no secrets were detected.

When secret push protection finds a secret in the user's commits, we show a message like this:

image

We should also show a message when no secrets are found. After consideration the following message was chosen:

Secret push protection completed with no findings.

Issue Refinement Progress

If a checkbox is not relevant for the issue, please remove it.

  • This issue describes a problem to solve, or a task to complete, and it's confirmed.
  • This issue describes a proposal or an implementation plan that outlines a way to solve the problem or complete the task.
  • This issue is the smallest iteration possible and doesn't require further break down.
  • This issue has weight set - based on how many tasks or merge requests are required - and needs weight label is removed.
  • This issue is labeled correctly.
  • This issue is reviewed by another team member to confirm strategy and estimate.
  • Finally, add workflowready for development label to this issue.

Implementation plan

Based on this discussion about SPP message display mechanisms, I've updated the implementation plan:

Use PostReceiveService to output a message after the push is successfully received:


if secret_push_protection_ran_successfully?
  response.add_basic_message("Secret push protection completed with no findings.")
end

Pros:

  • Simpler implementation, similar to MR creation messages
  • Works in the post-receive phase where SPP has already completed
  • No need for Redis persistence

Cons:

  • Message appears after the push completes (not during pre-receive)

Implementation Steps

Add conditional message in PostReceiveService#execute:

   if secret_push_protection_enabled? && secret_push_protection_completed_successfully?
     response.add_basic_message("Secret push protection completed with no findings.")
   end

Old implementation plan

Add success message to ee/lib/gitlab/checks/secrets_check.rb, display when ::Gitlab::SecretDetection::Status::NOT_FOUND.

  • Add console message to ee/lib/ee/gitlab/git_access.rb or perhaps a GitAccessResult::CustomAction with the success message.

Note: Check this comment which has a suggested implementation plan that may work better.

Edited by Ahmed Hemdan