Implement trigger Secret Scanning FP detection workflow

What does this MR do and why?

Implement trigger and data ingestion workflow for Secret Scanning FP detection

  • Hook into after_create_commit on vulnerabilities to trigger secret detection false positive workflows for high/critical severity secret_detection report types

    • Add TriggerSecretDetectionFalsePositiveDetectionWorkflowWorker with no-op implementation
    • Add comprehensive specs to validate trigger conditions and worker invocation
    • Follow existing SAST FP workflow pattern for consistency
    • Add parameterized tests for secret_detection report type with various severity levels
  • Refs: https://gitlab.com/gitlab-org/gitlab/-/issues/577436

*vuln = vulnerability *SDFPD = secret detection false positive detection

References

Screenshots or screen recordings

Before After

How to set up and validate locally

  1. Setup licensed GDK with Linux runner and AI gateway and Secret Scanning pipeline
  2. Enable Secret Scanning FP detection flow for project with GitLab Duo active
  3. Submit code that contains a (fake) secret
  4. Should see the vuln show up eventually in vuln dashboard and then a session for the SDFPD flow running in sessions.
  5. The vuln shall have a badge and details containing the scoring

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by SAM FIGUEROA

Merge request reports

Loading