Secret Detection Configuration Profile

Problem

Today, secret detection configuration is more complex than it needs to be and also not as flexible as it should be. Some things that could be improved:

• Pipeline-based SD requires editing a YAML file
• Push protection does not allow for custom rules
• Pipeline-based custom rules require editing a TOML file
• Handling custom rules at scale can feel complex for some teams

Proposal

Create a secret detection specific configuration profile. Eventually, one single profile will contain all configuration options needed for both pipeline-based secret detection and for secret push protection. Two separate phases are outlined below because we would like to start with push protection, but there are a few feature availability differences today:

• Exclusions only available for push protection
• Custom rules only available for pipeline-based SD

Once these two options are available for both SD scan methods, the profile will be identical.

Scope

MVC

MVC will focus on push protection settings.

• CRUD operations can be performed on via the UI or API.
• CRUD operations are limited to Owner, Maintainer, and the custom role Add "Manage Security Testing" as a customizable... (#508649 - closed)
• Configurable settings include:
  • Default rules/detections
    • Disable
  • Pre-scan Exclusions (directories/paths, values) -- patterns should likely no longer be included in exclusions as these are rules/default detections that could be disabled/enabled instead

Phase II

Extend profile to cover pipeline-based SD.

• Configuration profile is limited to secret detection settings, but can be applied to either pipeline-based SD, secret push protection, or both
• New configurable settings to add:
  • Scanner version
  • Max depth
  • Custom rules
    • Create/add
    • Disable
    • Delete