Show secret detected warning for Explain Vulnerability (!128833) · Merge requests · GitLab.org / GitLab

Daniel Tian requested to merge 417079-show-secret-detected-warning into master Aug 09, 2023

What does this MR do and why?

This MR adds a warning to the Explain Vulnerability panel if a potential secret was detected in the vulnerable source code:

If no secret is detected, the warning is not shown. If a secret is detected, the Send code with prompt checkbox will be unchecked by default. The code link jumps up to location header that shows the file and vulnerable source code.

Peek_2023-08-09_00-27

How to set up and validate locally

Clone this project: https://gitlab.com/gitlab-org/security-products/tests/webgoat.net
Run a pipeline against the default branch.
Go to the vulnerability report. The first few results should all be SCS0002 vulnerabilities. Open up the first 5 or so in new tabs. At least some of them will trigger the secrets check.
Verify that if the source code has the word "password" in it, the warning is shown, and that if the source code doesn't have any sensitive words, the warning is not shown.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #417079 (closed)

Edited Aug 09, 2023 by Daniel Tian

Show secret detected warning for Explain Vulnerability

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports