Skip to content

Audit event for bypassing secrets check via push option

Serena Fang requested to merge skip-secret-detection-push-option-audit-event into master

What does this MR do and why?

Issue: #455438 (closed)

Log audit event with custom message when pre-receive secret detection is skipped via the secret_detection.skip_all push option

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

image |

How to set up and validate locally

  1. In the rails console:
pry(main)> Gitlab::CurrentSettings.update!(pre_receive_secret_detection_enabled: true) # to ensure feature is enabled instance-wide
pry(main)> project = Project.find(PROJECT_ID)
pry(main)> Feature.enable(:pre_receive_secret_detection_push_check, project)
  1. Check out this branch. Make a new local branch in the PROJECT_ID project. Create a new file (test.txt), include a fake secret in the file. Some examples: glpat-12312312312312312312, glrt-12312312312312312312, glft-12312312312312312312
  2. git add test.txt, commit it, attempt to push. The push will be blocked.
  3. Attempt to push again, but include the push option, like this: git push -o secret_detection.skip_all
  4. The push will be successful, meaning that the fake secret will be in your project PROJECT_ID
  5. Navigate to your project > Secure > Audit events
  6. You should see this: image

Numbered steps to set up and validate the change are strongly suggested.

Edited by Serena Fang

Merge request reports