Skip to content

GitLab Next

Why GitLab
Pricing
Contact Sales
Explore

Sign in
Get free trial

Move ScanSecurityReportSecretsWorker to avoid race-condition

Review changes
Download
Patches
Plain diff

Saikat Sarkar requested to merge move_scan_security_report_secrets_worker into master Jan 05, 2021

Overview 12
Commits 1
Pipelines 6
Changes 7

What does this MR do?

This MR is related to this issue. In this MR, we are trying to resolve the race-condition by moving ScanSecurityReportSecretsWorker just after the creation of vulnerability_findings of a pipeline. In this solution, the token revocation is triggered based on the presence of secret_detection vulnerabiity_findings in the default_pipeline. Notice that vulnerabiity_findings are only generated for default_pipeline. In other words, this means that token revocation will only happen if an MR(containing secrets) is merged against default_branch or a new pipeline is manually triggered on the default_branch.

Pros: token revocation is triggered deterministically for each pipeline on default_branch. This will eliminate the race-condition.

Cons: token revocation will not be triggered for the pipelines of non-default pipelines.

For now, this may be a workable solution. In future iterations, we need to trigger token revocation after each build is finished. We tried to implement this at the beginning. But, this introduced race-condition and thereby missed many secret detections.

Screenshots (strongly suggested)

The following log in GCP(Google Cloud Platform) for srs-dev proves that these changes are not suffering race-conditions in gdk. For this testing, gdk is set according to the settings of srs-dev environment. For a pipeline run on the default_branch, we are seeing GET and POST requests as expected.

Does this MR meet the acceptance criteria?

Conformity

Changelog entry
Documentation (if required)
Code review guidelines
Merge request performance guidelines
Style guides
Database guides
Separation of EE specific content

Availability and Testing

Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
Tested in all supported browsers
Informed Infrastructure department of a default or new setting change, if applicable per definition of done

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

Label as security and @ mention @gitlab-com/gl-security/appsec
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
Security reports checked/validated by a reviewer from the AppSec team

Edited Jan 05, 2021 by Saikat Sarkar

Merge request reports

Assignee

Reviewers

Request review from

Time tracking