Move ScanSecurityReportSecretsWorker to avoid race-condition
What does this MR do?
This MR is related to this issue. In this MR, we are trying to resolve the race-condition by moving ScanSecurityReportSecretsWorker
just after the creation of vulnerability_findings
of a pipeline. In this solution, the token revocation is triggered based on the presence of secret_detection
vulnerabiity_findings in the default_pipeline. Notice that vulnerabiity_findings are only generated for default_pipeline. In other words, this means that token revocation will only happen if an MR(containing secrets) is merged against default_branch or a new pipeline is manually triggered on the default_branch.
Pros: token revocation is triggered deterministically for each pipeline on default_branch. This will eliminate the race-condition.
Cons: token revocation will not be triggered for the pipelines of non-default pipelines.
For now, this may be a workable solution. In future iterations, we need to trigger token revocation after each build is finished. We tried to implement this at the beginning. But, this introduced race-condition and thereby missed many secret
detections.
Screenshots (strongly suggested)
The following log in GCP(Google Cloud Platform) for srs-dev
proves that these changes are not suffering race-conditions in gdk
. For this testing, gdk
is set according to the settings of srs-dev
environment. For a pipeline run on the default_branch, we are seeing GET and POST requests as expected.
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team