Skip to content

Move ScanSecurityReportSecretsWorker to avoid race-condition

Saikat Sarkar requested to merge move_scan_security_report_secrets_worker into master

What does this MR do?

This MR is related to this issue. In this MR, we are trying to resolve the race-condition by moving ScanSecurityReportSecretsWorker just after the creation of vulnerability_findings of a pipeline. In this solution, the token revocation is triggered based on the presence of secret_detection vulnerabiity_findings in the default_pipeline. Notice that vulnerabiity_findings are only generated for default_pipeline. In other words, this means that token revocation will only happen if an MR(containing secrets) is merged against default_branch or a new pipeline is manually triggered on the default_branch.

Pros: token revocation is triggered deterministically for each pipeline on default_branch. This will eliminate the race-condition.

Cons: token revocation will not be triggered for the pipelines of non-default pipelines.

For now, this may be a workable solution. In future iterations, we need to trigger token revocation after each build is finished. We tried to implement this at the beginning. But, this introduced race-condition and thereby missed many secret detections.

Screenshots (strongly suggested)

The following log in GCP(Google Cloud Platform) for srs-dev proves that these changes are not suffering race-conditions in gdk. For this testing, gdk is set according to the settings of srs-dev environment. For a pipeline run on the default_branch, we are seeing GET and POST requests as expected.


Does this MR meet the acceptance criteria?


Availability and Testing


If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Saikat Sarkar

Merge request reports