Skip to content

Draft: Allow public projects to disable SPP

Serena Fangrequested to merge
spp-public-ux-toggle into spp-public-update-license-checks

What does this MR do and why?

Issue: #567659

This is part of the plan to make SPP available to free and premium users for public projects on Gitlab.com. Issue: #551949

In !207017 (merged), we enable Secret Push Protection (SPP) automatically for public projects on GitLab.com. In !208036, we update the license checks to run SPP scans for public .com projects. In this MR, we let admins of public .com projects toggle SPP enabled/disabled in Project > Secure > Security configuration.

The SPP feature card now appears for all projects regardless of tier or project visibility (previously only showed for Ultimate)

Toggle is enabled for:

  • Ultimate licensed projects (any visibility, .com and SM/Dedicated)
  • Public projects on GitLab.com (including Free/Premium tiers, .com only)
    • Secret detection configuration (SD exclusions) gear icon only appears for Ultimate projects, hidden for Free/Premium projects

Toggle is disabled for:

  • Private/internal projects on Free/Premium tiers (.com, SM, Dedicated)
    • .com copy updated to: "Available with Ultimate. Enabled by default for all public projects."

References

Screenshots or screen recordings

Tier Display behavior
SM, Ultimate, both public and private (no change in behavior, just for reference) Screenshot_2025-10-07_at_6.00.56_PM
SM, Free/Premium, both public and private (new -- previously, did not display feature card) Screenshot_2025-10-07_at_5.41.45_PM
.com, Ultimate, both public and private (no change in behavior, just for reference) Screenshot_2025-10-07_at_6.00.56_PM
.com, Free/Premium, public project (new -- previously, did not display feature card, SPP now available for Free .com public projects, does not allow Secret detection configuration [SD exclusions is still an Ultimate feature] ) Screenshot_2025-10-07_at_5.39.24_PM
.com, Free/Premium, private project (new -- previously, did not display feature card, now shows feature card with copy that says "Available with Ultimate. Enabled by default for all public projects.") Screenshot_2025-10-07_at_5.38.39_PM
Non-admin member (developer) (no change in behavior, just for reference) Screenshot_2025-10-07_at_6.08.00_PM

How to set up and validate locally

Test on self-managed (SPP not available for Free/premium)

  1. In gdk with an Ultimate license, create a project, navigate to Project > Secure > Security configuration > Secret push protection feature card
  2. Ensure that the feature card is not greyed out, toggle appears and is toggleable, and the gear icon button does appear in the lower right of the feature card:
  • Screenshot_2025-10-07_at_6.00.56_PM
  1. Remove your Ultimate license
  2. Create a public project
  3. In rails c: p = Project.last p.security_setting.secret_push_protection_enabled
  4. Should be false
  5. In Project > Secure > Security configuration > Secret push protection feature card
  6. Ensure that the feature card is disabled, toggle doesn't appear, and copy text says "Available with Ultimate":
  • Screenshot_2025-10-07_at_5.41.45_PM

Test on .com (SPP available for public projects)

  1. gdk stop
  2. Restart gdk with GITLAB_SIMULATE_SAAS=1 gdk start, which runs gdk in .com/SaaS mode.
  3. In rails c, enable the feature flag: Feature.enable(:auto_spp_public_com_projects)
  4. Remove your Ultimate license if applicable
  5. First, create a Private project.
  6. In Project > Secure > Security configuration > Secret push protection feature card
  7. Ensure that the feature card is disabled, toggle doesn't appear, and copy text says "Available with Ultimate. Enabled by default for all public projects.":
  • Screenshot_2025-10-07_at_5.04.09_PM
  1. Change the Project visibility to Public via UI (Settings > General > Visibility dropdown)
  2. In Project > Secure > Security configuration > Secret push protection feature card
  3. Ensure that the feature card is not greyed out, the SPP feature is enabled, toggle appears and is toggleable, and the gear icon button does not appear in the lower right of the feature card:
  • Screenshot_2025-10-07_at_5.39.24_PM
  1. Add an Ultimate license to gdk
  2. Change the project visibility back to Private
  3. In Project > Secure > Security configuration > Secret push protection feature card
  4. Ensure that the feature card is not greyed out, the SPP feature is enabled, toggle appears and is toggleable, and the gear icon button does appear in the lower right of the feature card:
  • Screenshot_2025-10-07_at_6.02.34_PM
  • Bonus:
  • Impersonate a non-maintainer project member (Developer). In Project > Secure > Security configuration > Secret push protection feature card, ensure that the feature card is not greyed out, the SPP feature is enabled, toggle appears but is not toggleable
  • Screenshot_2025-10-07_at_6.08.00_PM

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Serena Fang

Merge request reports