Document Push Protection limitation around scanning blobs outside of diffs
Problem to solve
There is currently a limitation in how we scan code during Secret Push Protection where we scan the entire file contents affected by a given code push. Because we do not have the context of the diff itself (i.e. a modification on line 5), gitaly provides the the entire file contents and we can report a secret as present even if its outside the scope of the push.
Proposal
- Document limitation around blocking out-of-diff secrets during Category:Secret Detection push protection