Draft: Remove the (default) base secret-analyzer behaviour where jobs succeed when secrets are discovered (!82027) · Merge requests · GitLab.org / GitLab

The source project of this merge request has been removed.

Ghost User requested to merge (removed):secret-detection-job-default-allow-failure into master Mar 02, 2022

What does this MR do and why?

This change removes the allow_failure: true configuration on the base .secret-analyzer definition.

That job definition is extended by the secret_detection job, which is the default job that is run when the Secret Detection feature (free tier) is enabled.

Relates to #354151.

(NB: I now do not think that this completely fixes the related issue. the continuous integration jobs here passed (green), so even the removal of allow_failure: true may not resolve the entire problem)

Screenshots

Here is some example output from a secret detection job that ran against a codebase -- a secret was discovered, but the job displayed a success status as output:

How to set up and validate locally

TODO: Could the changes here by validated using gitlab-runner?

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.
- I'm unable to assign labels, but this change affects the backend of GitLab
- One area that I'd require help on is the false positive rate for secret detection; that could affect whether (and/or when) this change makes sense to merge

Edited Mar 07, 2022 by Ghost User

Draft: Remove the (default) base secret-analyzer behaviour where jobs succeed when secrets are discovered

What does this MR do and why?

Screenshots

How to set up and validate locally

MR acceptance checklist

Merge request reports