Enable secret push protection for all GitLab owned projects

Overview

To prevent secrets from being pushed to GitLab-owned projects, we should enable Secret Push Protection for all the projects under GitLab Umbrella.

List of namespaces

  1. https://gitlab.com/gitlab-org
  2. https://gitlab.com/gitlab-com

Proposal

Long-term solution

The secret detection team is working towards introducing group/namespace-level settings for Secret Push Protection. Once it's implemented and rolled out (post-GA), we should be able to enable and enforce the feature by default for all groups and namespaces.

Short-term solution

  1. Run a migration in production to enable it for each project: This can be implemented by running a script that iterates through all the projects under the GitLab namespaces and calls the API to enable the feature for each project. The script must be run by the instance owner, requiring collaboration with the Infra team.
  2. Enabling secret push protection by default for newly created projects: This will safeguard against future incidents and adhere to the Secure by Default principle

Another solution we explored

  • Enforce secret push protection by hard-coding GitLab namespaces: We can add hard-coded checks for GitLab-owned namespaces and enforce secret push protection checks for every project under them. Psuedo code:
Psuedo code 
diff --git a/ee/lib/gitlab/checks/secrets_check.rb b/ee/lib/gitlab/checks/secrets_check.rb
index d7c6f4ac8b52..16c433839c5c 100644
--- a/ee/lib/gitlab/checks/secrets_check.rb
+++ b/ee/lib/gitlab/checks/secrets_check.rb
@@ -94,7 +94,13 @@ def validate!
 
       def run_pre_receive_secret_detection?
         Gitlab::CurrentSettings.current_application_settings.pre_receive_secret_detection_enabled &&
-          (enabled_for_non_dedicated_project? || enabled_for_dedicated_project?)
+          (enabled_for_gitlab_org_project? || enabled_for_non_dedicated_project? || enabled_for_dedicated_project?)
+      end
+
+      def enabled_for_gitlab_org_project?
+        GITLAB_ORG_NAMESPACE = 'gitlab-org'
+        root_namespace_full_path = project.namespace.full_path.split('/').first
+        return ::Gitlab.com? && root_namespace_full_path == GITLAB_ORG_NAMESPACE
       end
 
       def enabled_for_non_dedicated_project?
Edited by Dheeraj Joshi