Disable password in URL rule in secret scanning (!93712) · Merge requests · GitLab.org / GitLab

Dominic Couture requested to merge dcouture-password-url-disable into master Aug 01, 2022

What does this MR do and why?

The "Password in URL" rule is very noisy and it picks up tons (thousands) of user:user, test:test, *****:*****, and other variations of test passwords to the point where we're missing real findings as in https://gitlab.com/gitlab-org/gitlab/-/security/vulnerabilities/36027676.

Until we have a way to filter out the "obviously-used-for-test" passwords I suggest that we disable this rule. That combined with some API tricks to mass-dismiss the existing issues will enable us to use the feature again.

Screenshots or screen recordings

N/A

How to set up and validate locally

It's a CI/CD configuration change, it cannot be validated locally.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Aug 16, 2022 by Dominic Couture

Disable password in URL rule in secret scanning

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports