Skip to content

Update Secret-Detection template to use commits file

Zach Rice requested to merge secret-detection-commits-file into master

What does this MR do?

This MR replaces the SECRET_DETECTION_COMMIT_TO/FROM variables with SECRET_DETECTION_COMMITS_FILE as a way pass commit information the the secret-detection analyzer. The behavior of SECRET_DETECTION_COMMIT_TO/FROM has the potential to scan extraneous commits as the way the underlying secret-detection scanner (gitleaks) generates the list of commits to scan using SECRET_DETECTION_COMMIT_TO/FROM does not guarantee scanning only commits in the range of SECRET_DETECTION_COMMIT_TO/FROM. Worst case scenario is gitleaks scans the entire history of a project before encountering commit SECRET_DETECTION_COMMIT_TO, which could cause job availability issues. Read more about that in this issue here. Instead we should use SECRET_DETECTION_COMMITS_FILE. This makes it so the scanner is guaranteed to scan only commits from the SECRET_DETECTION_COMMITS_FILE file.

Screenshots

Screen_Shot_2020-09-03_at_10.36.12_AM Screen_Shot_2020-09-03_at_10.35.47_AM

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Zach Rice

Merge request reports

Loading