Secret Detection on an open merge request ignores SECRET_DETECTION_HISTORIC_SCAN=false
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
Including the secret_detection CI job from Jobs/Secret-Detection.gitlab-ci.yml template with variable SECRET_DETECTION_HISTORIC_SCAN set to false for a Merge Request pipeline ignores the setting and scans the whole git history for secret leaks (instead of only the most recent commit, as indicated in the doc at https://docs.gitlab.com/user/application_security/secret_detection/pipeline/configure/).
Steps to reproduce
- Create a git project with a CI that includes
secret_detectionCI job from theJobs/Secret-Detection.gitlab-ci.ymltemplate. - Create an history of commits, where the first commit (oldest one) contains a leak of a password.
- Open a Merge Request for that branch.
- Run a MR pipeline on that branch and assess the
secret_detectionjob detects a leak in the first (oldest) commit.
What is the current bug behavior?
The command that is sent to Gitleaks analyzer includes the whole Git history.
What is the expected correct behavior?
Only the most recent commit is given to Gitleaks analysis.
Relevant logs and/or screenshots
Here is the log of the secret_detection CI job on my project. In this example, the --log-opts option of the GitLeaks command is given a range of commits instead of a single commit.
[0KRunning with gitlab-runner 17.11.3 (3995fbff)[0;m
[0K on gitlab-runner-5ff478b496-svztn F9zt1Cssb, system ID: r_NuZ6fNdBqduc[0;m
[0K[36;1mResolving secrets[0;m[0;m
section_start:1754502310:prepare_executor
[0K[0K[36;1mPreparing the "kubernetes" executor[0;m[0;m
[0KUsing Kubernetes namespace: cijobs[0;m
[0KUsing Kubernetes executor with image registry.gitlab.com/security-products/secrets:7 ...[0;m
[0KUsing attach strategy to execute scripts...[0;m
section_end:1754502310:prepare_executor
[0Ksection_start:1754502310:prepare_script
[0K[0K[36;1mPreparing environment[0;m[0;m
[0KUsing FF_USE_POD_ACTIVE_DEADLINE_SECONDS, the Pod activeDeadlineSeconds will be set to the job timeout: 1h0m0s...[0;m
Waiting for pod cijobs/runner-f9zt1cssb-project-83187-concurrent-0-c09050ws to be running, status is Pending
Running on runner-f9zt1cssb-project-83187-concurrent-0-c09050ws via gitlab-runner-5ff478b496-svztn...
section_end:1754502314:prepare_script
[0Ksection_start:1754502314:get_sources
[0K[0K[36;1mGetting source from Git repository[0;m[0;m
[32;1mFetching changes with git depth set to 50...[0;m
Initialized empty Git repository in /builds/cortaix-factory/use-cases/naval-autonomy/usv-agent/.git/
[32;1mCreated fresh repository.[0;m
[32;1mChecking out a42dc00e as detached HEAD (ref is refs/merge-requests/1/head)...[0;m
[32;1mSkipping Git submodules setup[0;m
section_end:1754502315:get_sources
[0Ksection_start:1754502315:step_script
[0K[0K[36;1mExecuting "step_script" stage of the job script[0;m[0;m
[32;1m$ /analyzer run[0;m
[33;49m[DEBUG] ▶ Choosing the input analyzer report: '/builds/cortaix-factory/use-cases/naval-autonomy/usv-agent/gl-secret-detection-report.json'
[0;32m[INFO] [secrets] [2025-08-06T17:45:15Z] [/go/src/app/main.go:25] ▶ GitLab secrets analyzer v7.10.1[0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:15Z] [/go/src/app/main.go:53] ▶ Using secret detection rules version "0.12.0" from "https://gitlab.com/gitlab-org/security-products/secret-detection/secret-detection-rules/-/releases/v0.12.0"[0m
[0;35m[DEBU] [secrets] [2025-08-06T17:45:15Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v3@v3.2.0/run.go:262] ▶ ANALYZER_TARGET_DIR,CI_PROJECT_DIR=/builds/cortaix-factory/use-cases/naval-autonomy/usv-agent[0m
[0;35m[DEBU] [secrets] [2025-08-06T17:45:15Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v3@v3.2.0/run.go:262] ▶ ANALYZER_ARTIFACT_DIR,CI_PROJECT_DIR=/builds/cortaix-factory/use-cases/naval-autonomy/usv-agent[0m
[0;35m[DEBU] [secrets] [2025-08-06T17:45:15Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v3@v3.2.0/run.go:262] ▶ ANALYZER_INDENT_REPORT=false[0m
[0;35m[DEBU] [secrets] [2025-08-06T17:45:15Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v3@v3.2.0/run.go:262] ▶ ANALYZER_OPTIMIZE_REPORT=true[0m
[0;35m[DEBU] [secrets] [2025-08-06T17:45:15Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v3@v3.2.0/run.go:262] ▶ ADDITIONAL_CA_CERT_BUNDLE=[0m
[0;35m[DEBU] [secrets] [2025-08-06T17:45:15Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v3@v3.2.0/run.go:262] ▶ SEARCH_IGNORED_DIRS=bundle,node_modules,vendor,tmp,test,tests[0m
[0;35m[DEBU] [secrets] [2025-08-06T17:45:15Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v3@v3.2.0/run.go:262] ▶ SEARCH_IGNORE_HIDDEN_DIRS=true[0m
[0;35m[DEBU] [secrets] [2025-08-06T17:45:15Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v3@v3.2.0/run.go:262] ▶ SEARCH_MAX_DEPTH=15[0m
[0;35m[DEBU] [secrets] [2025-08-06T17:45:15Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v3@v3.2.0/run.go:262] ▶ SECRET_DETECTION_LOG_OPTIONS=[0m
[0;35m[DEBU] [secrets] [2025-08-06T17:45:15Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v3@v3.2.0/run.go:262] ▶ SECRET_DETECTION_HISTORIC_SCAN=false[0m
[0;35m[DEBU] [secrets] [2025-08-06T17:45:15Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v3@v3.2.0/run.go:262] ▶ SECRET_DETECTION_EXCLUDED_PATHS=[0m
[0;35m[DEBU] [secrets] [2025-08-06T17:45:15Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/common/v3@v3.4.0/cacert/cacert.go:65] ▶ CA cert bundle not imported: empty bundle or empty target path[0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:15Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v3@v3.2.0/run.go:129] ▶ Detecting project[0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:15Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v3@v3.2.0/run.go:153] ▶ Analyzer will attempt to analyze all projects in the repository[0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:15Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v3@v3.2.0/command.go:126] ▶ Loading ruleset for /builds/cortaix-factory/use-cases/naval-autonomy/usv-agent[0m
[0;33m[WARN] [secrets] [2025-08-06T17:45:15Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/ruleset/v3@v3.3.2/ruleset.go:263] ▶ /builds/cortaix-factory/use-cases/naval-autonomy/usv-agent/.gitlab/secret-detection-ruleset.toml not found, ruleset customization will be disabled.[0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:15Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v3@v3.2.0/run.go:170] ▶ Running analyzer[0m
[0;35m[DEBU] [secrets] [2025-08-06T17:45:16Z] [/go/src/app/analyze.go:106] ▶ Running gitleaks command: /usr/local/bin/gitleaks git --report-path /tmp/gitleaks-1679452163.json --report-format json --config /gitleaks.toml --exit-code 0 --log-level debug --log-opts 5c8e6ef396f96c8cf9f34e0d688273b208a6ee6a..a42dc00ec99b88cf5fc504136780c67ddd71190a /builds/cortaix-factory/use-cases/naval-autonomy/usv-agent
[0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:16Z] [/go/src/app/analyze.go:143] ▶ [0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:16Z] [/go/src/app/analyze.go:143] ▶ ○[0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:16Z] [/go/src/app/analyze.go:143] ▶ │╲[0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:16Z] [/go/src/app/analyze.go:143] ▶ │ ○[0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:16Z] [/go/src/app/analyze.go:143] ▶ ○ ░[0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:16Z] [/go/src/app/analyze.go:143] ▶ ░ gitleaks[0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:16Z] [/go/src/app/analyze.go:143] ▶ [0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:16Z] [/go/src/app/analyze.go:143] ▶ [90m5:45PM[0m DBG using github.com/wasilibs/go-re2 regex engine[0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:16Z] [/go/src/app/analyze.go:143] ▶ [90m5:45PM[0m DBG using gitleaks config /gitleaks.toml from `--config`[0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:16Z] [/go/src/app/analyze.go:143] ▶ [90m5:45PM[0m DBG executing: /usr/bin/git -C /builds/cortaix-factory/use-cases/naval-autonomy/usv-agent log -p -U0 5c8e6ef396f96c8cf9f34e0d688273b208a6ee6a..a42dc00ec99b88cf5fc504136780c67ddd71190a[0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:16Z] [/go/src/app/analyze.go:143] ▶ [90m5:45PM[0m [32mINF[0m [1mUnknown SCM platform. Use --platform to include links in findings.[0m [36mhost=[0mgitlab.thalesdigital.io[0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:16Z] [/go/src/app/analyze.go:143] ▶ [90m5:45PM[0m [32mINF[0m [1m14 commits scanned.[0m[0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:16Z] [/go/src/app/analyze.go:143] ▶ [90m5:45PM[0m DBG Note: this number might be smaller than expected due to commits with no additions[0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:16Z] [/go/src/app/analyze.go:143] ▶ [90m5:45PM[0m [32mINF[0m [1mscanned ~52933 bytes (52.93 KB) in 66.6ms[0m[0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:16Z] [/go/src/app/analyze.go:143] ▶ [90m5:45PM[0m [33mWRN[0m [1mleaks found: 4[0m[0m
[0;32m[INFO] [secrets] [2025-08-06T17:45:16Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v3@v3.2.0/run.go:184] ▶ Creating report[0m
[0;35m[DEBU] [secrets] [2025-08-06T17:45:16Z] [/go/src/app/rules/parser.go:32] ▶ Parsing rule file /gitleaks.toml[0m
[0;35m[DEBU] [secrets] [2025-08-06T17:45:16Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/report/v5@v5.10.0/report.go:204] ▶ No Ids found to disable[0m
[0;35m[DEBU] [secrets] [2025-08-06T17:45:16Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/report/v5@v5.10.0/report.go:246] ▶ Applying report overrides[0m
[0;35m[DEBU] [secrets] [2025-08-06T17:45:16Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/report/v5@v5.10.0/report.go:254] ▶ No Ids found to override[0m
[0;35m[DEBU] [secrets] [2025-08-06T17:45:16Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v3@v3.2.0/jsonout.go:54] ▶ Optimizing JSON Output[0m
[0;32m[INFO] [2025-08-06T17:45:16Z] [/build/clicmds/query.go:89] ▶ /builds/cortaix-factory/use-cases/naval-autonomy/usv-agent/gl-report-post.json written[0m
section_end:1754502316:step_script
[0Ksection_start:1754502316:upload_artifacts_on_success
[0K[0K[36;1mUploading artifacts for successful job[0;m[0;m
[32;1mUploading artifacts...[0;m
gl-secret-detection-report.json: found 1 matching artifact files and directories[0;m
Uploading artifacts as "archive" to coordinator... 201 Created[0;m id[0;m=53566385 responseStatus[0;m=201 Created token[0;m=64_qGVPN3
[32;1mUploading artifacts...[0;m
gl-secret-detection-report.json: found 1 matching artifact files and directories[0;m
Uploading artifacts as "secret_detection" to coordinator... 201 Created[0;m id[0;m=53566385 responseStatus[0;m=201 Created token[0;m=64_qGVPN3
section_end:1754502318:upload_artifacts_on_success
[0Ksection_start:1754502318:cleanup_file_variables
[0K[0K[36;1mCleaning up project directory and file based variables[0;m[0;m
section_end:1754502318:cleanup_file_variables
[0K[32;1mJob succeeded[0;mPossible fixes
Source code of the analyzer wrapper of GitLeaks is located here: https://gitlab.com/gitlab-org/security-products/analyzers/secrets
Edited by 🤖 GitLab Bot 🤖