Skip to content

Add push option to skip pre-receive secret detection scanning

Serena Fang requested to merge secrets_check_bypass_push_option into master

What does this MR do and why?

Issue: #435315 (closed)

In some cases, it may be necessary to skip pre-receive secret detection. For example, a developer may need to commit a placeholder secret for testing, or a user may want to bypass secret detection due to a Git operation timeout. In the experimental MVC phase of the pre-receive secret detection feature, we introduced a special commit flag ([skip secret detection]), to skip scanning for an entire push if the flag is present in the commit message of any the commits pushed. This design has a few limitations, see issue discussion for more info.

To resolve these issues, this MR adds a push option (secret_detection.skip_all) to skip pre-receive secret detection for the entire push. This MR uses the work recently introduced by gitaly!6854 (merged), which propagates push options on pre-receive/allowed check, when previously, push options were only available in Rails on post-receive step.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. In the rails console:
pry(main)> Gitlab::CurrentSettings.update!(pre_receive_secret_detection_enabled: true) # to ensure feature is enabled instance-wide
pry(main)> project = Project.find(PROJECT_ID)
pry(main)> Feature.enable(:pre_receive_secret_detection_push_check, project)
  1. Check out gitlab master. Make a new local branch in the PROJECT_ID project. Create a new file (test.txt), include a fake secret in the file. Some examples: glpat-12312312312312312312, glrt-12312312312312312312, glft-12312312312312312312
  2. git add test.txt, commit it, attempt to push. The push will be blocked, and you will see a message like this:

image

  1. Checkout this branch secrets_check_bypass_push_option. Attempt to push again, but include the push option, like this: git push -o secret_detection.skip_all
  2. The push will be successful, meaning that the fake secret will be in your project PROJECT_ID
Edited by Serena Fang

Merge request reports