SECRET_DETECTION_EXCLUDED_PATHS doesn't seem to be used by secrets
Hello,
I wanted to exclude a file from secrets detection scanning in one of my projects.
Based on the documentation I had to add the variables SECRET_DETECTION_EXCLUDED_PATHS
in my CI so I added to to my .gitlab-ci.yaml
file like this:
variables:
SECRET_DETECTION_EXCLUDED_PATHS: "/code/my_credentials.txt"
But the secrets detection step kept raising warnings.
I tested it locally with Docker:
rm -f gl-secret-detection-report.json; docker run -e SECRET_DETECTION_EXCLUDED_PATHS="/code/my_credentials.txt" -v /home/me/dev/project/:/code/ --rm -it registry.gitlab.com/gitlab-org/security-products/analyzers/secrets /analyzer run --target-dir /code
[INFO] [secrets] [2024-05-24T12:56:57Z] ▶ GitLab secrets analyzer v5.2.7
[INFO] [secrets] [2024-05-24T12:56:57Z] ▶ Detecting project
[INFO] [secrets] [2024-05-24T12:56:57Z] ▶ Analyzer will attempt to analyze all projects in the repository
[INFO] [secrets] [2024-05-24T12:56:57Z] ▶ Loading ruleset for /code
[WARN] [secrets] [2024-05-24T12:56:57Z] ▶ /code/.gitlab/secret-detection-ruleset.toml not found, ruleset support will be disabled.
[INFO] [secrets] [2024-05-24T12:56:57Z] ▶ Running analyzer
[INFO] [secrets] [2024-05-24T12:56:57Z] ▶
[INFO] [secrets] [2024-05-24T12:56:57Z] ▶ ○
[INFO] [secrets] [2024-05-24T12:56:57Z] ▶ │╲
[INFO] [secrets] [2024-05-24T12:56:57Z] ▶ │ ○
[INFO] [secrets] [2024-05-24T12:56:57Z] ▶ ○ ░
[INFO] [secrets] [2024-05-24T12:56:57Z] ▶ ░ gitleaks
[INFO] [secrets] [2024-05-24T12:56:57Z] ▶
[INFO] [secrets] [2024-05-24T12:56:57Z] ▶ 12:56PM INF scan completed in 89.4ms
[INFO] [secrets] [2024-05-24T12:56:57Z] ▶ 12:56PM WRN leaks found: 1
[INFO] [secrets] [2024-05-24T12:56:57Z] ▶ Creating report
Still detected despite the env variable being set.
Getting a bit curious and knowing it is using gitleaks
underneath I launched a shell in the docker image and called analyzer manually, listing the processes too:
rm /code/gl-secret-detection-report.json; SECRET_DETECTION_EXCLUDED_PATHS="/code/my_credentials.txt" /analyzer run --target-dir /code & (sleep 0.1; ps aux)
[INFO] [secrets] [2024-05-24T13:09:38Z] ▶ GitLab secrets analyzer v5.2.7
[INFO] [secrets] [2024-05-24T13:09:38Z] ▶ Detecting project
[INFO] [secrets] [2024-05-24T13:09:38Z] ▶ Analyzer will attempt to analyze all projects in the repository
[INFO] [secrets] [2024-05-24T13:09:38Z] ▶ Loading ruleset for /code
[WARN] [secrets] [2024-05-24T13:09:38Z] ▶ /code/.gitlab/secret-detection-ruleset.toml not found, ruleset support will be disabled.
[INFO] [secrets] [2024-05-24T13:09:38Z] ▶ Running analyzer
[INFO] [secrets] [2024-05-24T13:09:38Z] ▶
[INFO] [secrets] [2024-05-24T13:09:38Z] ▶ ○
[INFO] [secrets] [2024-05-24T13:09:38Z] ▶ │╲
[INFO] [secrets] [2024-05-24T13:09:38Z] ▶ │ ○
[INFO] [secrets] [2024-05-24T13:09:38Z] ▶ ○ ░
[INFO] [secrets] [2024-05-24T13:09:38Z] ▶ ░ gitleaks
[INFO] [secrets] [2024-05-24T13:09:38Z] ▶
PID USER TIME COMMAND
1 root 0:00 /bin/sh
203 root 0:00 /analyzer run --target-dir /code
204 root 0:00 ps aux
210 root 0:00 gitleaks detect --report-path /tmp/gitleaks-2256830928.json --report-format json --source /code --config /gitleaks.toml --exit-code 0 --log-level info --no-git
/ # [INFO] [secrets] [2024-05-24T13:09:38Z] ▶ 1:09PM INF scan completed in 79.6ms
[INFO] [secrets] [2024-05-24T13:09:38Z] ▶ 1:09PM WRN leaks found: 1
[INFO] [secrets] [2024-05-24T13:09:38Z] ▶ Creating report
[1]+ Done /analyzer run --target-dir /code
I looked at gitleaks.toml
passed as an option to gitleaks
and was suprised the path from SECRET_DETECTION_EXCLUDED_PATHS
doesn't appear here.
I then took a look at the source code of secrets and didn't see any real usage for SECRET_DETECTION_EXCLUDED_PATHS
which lead me to the current issue.