Switch secrets detection jobs to blobless clones (!142459) · Merge requests · GitLab.org / GitLab

Morgan Delagrange requested to merge morgan_delagrange/gitlab:blobless-clone-for-secrets-analyzer into master Jan 22, 2024

What does this MR do and why?

This switches the secret_detection job to doing blobless clones rather than shallow clones. Shallow clones can lead to inaccurate results for Merge Requests. (See #427641.) By doing a blobless clone, the secrets detection job will be able to determine an accurate range of affected commits, even for very large MR branches.

This change should be released in conjunction with a new version of the secrets analyzer (gitlab-org/security-products/analyzers/secrets!252 (merged)). This related MR removes code that attempts to find missing commits. The code doesn't work because a shallow clone does not provide the necessary information to git.

How to set up and validate locally

There are MRs in a GitLab test repository that demonstrate the fix. In an MR without the fix, the secret detection job scans the wrong number of commits and shows a false positive. In an MR with the fix, the scanner job is checking the correct number of commits, and it accurately detects zero leaked secrets.

You can find more details in this GitLab issue: #427641

cc: @rossfuhrman

Switch secrets detection jobs to blobless clones

What does this MR do and why?

How to set up and validate locally

Merge request reports