Update Secret-Detection template to use commits file
What does this MR do?
This MR replaces the SECRET_DETECTION_COMMIT_TO/FROM
variables with SECRET_DETECTION_COMMITS_FILE
as a way pass commit information the the secret-detection analyzer. The behavior of SECRET_DETECTION_COMMIT_TO/FROM
has the potential to scan extraneous commits as the way the underlying secret-detection scanner (gitleaks) generates the list of commits to scan using SECRET_DETECTION_COMMIT_TO/FROM
does not guarantee scanning only commits in the range of SECRET_DETECTION_COMMIT_TO/FROM
. Worst case scenario is gitleaks scans the entire history of a project before encountering commit SECRET_DETECTION_COMMIT_TO
, which could cause job availability issues. Read more about that in this issue here. Instead we should use SECRET_DETECTION_COMMITS_FILE
. This makes it so the scanner is guaranteed to scan only commits from the SECRET_DETECTION_COMMITS_FILE
file.
- Demo Project/branch
- Demo MR
- Demo pipeline See screenshots below for confirmation of this working.
Screenshots
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team