Draft: Remove the (default) base secret-analyzer behaviour where jobs succeed when secrets are discovered
What does this MR do and why?
This change removes the allow_failure: true
configuration on the base .secret-analyzer
definition.
That job definition is extended by the secret_detection
job, which is the default job that is run when the Secret Detection feature (free tier) is enabled.
Relates to #354151.
(NB: I now do not think that this completely fixes the related issue. the continuous integration jobs here passed (green), so even the removal of allow_failure: true
may not resolve the entire problem)
Screenshots
Here is some example output from a secret detection job that ran against a codebase -- a secret was discovered, but the job displayed a success status as output:
How to set up and validate locally
TODO: Could the changes here by validated using gitlab-runner
?
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR. - I'm unable to assign labels, but this change affects the
backend
of GitLab - One area that I'd require help on is the false positive rate for secret detection; that could affect whether (and/or when) this change makes sense to merge
- I'm unable to assign labels, but this change affects the