Run Pre-receive SD only on keyword matched blobs (!142038) · Merge requests · GitLab.org / GitLab

Vishwa Bhat requested to merge vbhat/scan-only-filtered-blobs into master Jan 17, 2024

What does this MR do and why?

In the current implementation of Pre-receive Secret Detection Push check, the scan performs regex match on all the blobs in the commit even if only some of them have matched positive for keyword check. This results in unnecessary regex operations performed on those blobs that we already know have no secrets present in them, leading to a significant latency overhead(~2-3x, check 2nd and 3rd TTFB AVG columns for reference).

This MR passes only those blobs further to the regex match step that are matched positive for the keyword check.

Relevant Issue Numbers

#437605 (comment 1731047208)

Edited Jan 17, 2024 by Vishwa Bhat

Run Pre-receive SD only on keyword matched blobs

What does this MR do and why?

Relevant Issue Numbers

Merge request reports