### Problem to solve Currently, you can customize the default secret detection rules provided with GitLab. Customization allows replacing the default Secret Detection rules with rules that you define. As per the docs at [Custom rulesets](https://docs.gitlab.com/ee/user/application_security/secret_detection/#custom-rulesets): > Create a custom ruleset file named `secret-detection-ruleset.toml` in the `.gitlab` directory. In the `secret-detection-ruleset.toml` file, do one of the following: > > - Define a custom ruleset > - Provide the name of the file containing a custom ruleset **Unfortunately, it's not possible to define a path to a remote ruleset. Therefore it's hard to maintain the Secret Detection feature within the organization, as adding the new regex means opening multiple MRs across all the projects.** ### User experience goal An option to have a "global" `Secret Detection` ruleset for the whole organization, where the security team could easily maintain the list of custom rules for similar projects based on the current needs/policies. - **Important**: It should be possible to use a ruleset that requires authentication to access. See [this comment](https://gitlab.com/gitlab-org/gitlab/-/issues/336395#note_1875016536) for notes on replicating the `git` passthrough functionality which would support this. - The rules the in the global ruleset should extend the default configuration in [our `gitleaks.toml`](https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/blob/master/gitleaks.toml) file. ### Proposal See [this comment](https://gitlab.com/gitlab-org/gitlab/-/issues/336395#note_1877478338 'Secret Detection feedback - feature proposal: Ability to include remote "custom ruleset"') for the proposed approach forward. <details> <summary>Original Proposal</summary> Add either a new variable: ``` secret_detection: variables: GITLEAKS_CONFIG: "https://ci-files.example.com/templates/security/config-gitleaks.toml" ``` or an option to include remote file in `secret-detection-ruleset.toml`: ``` [secrets] description = 'secrets custom rules configuration' [[secrets.passthrough]] type = "file" target = "gitleaks.toml" option = "remote" # Specify in the config is local or remote value = "https://ci-files.example.com/templates/security/config-gitleaks.toml" ``` It would be much easier if the developers could use a custom ruleset, or include the remote one, which the security team will maintain. </details> ### Links / references * [Secrets analyzer - #L230](https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/blob/master/analyze.go#L230) * [Secret Detection](https://docs.gitlab.com/ee/user/application_security/secret_detection) * [Issue #331358](https://gitlab.com/gitlab-org/gitlab/-/issues/331358 "Secret-Detection Custom Rules - Shared ruleset across projects") ### What is the type of buyer? ~"GitLab Ultimate"