Secret Detection – Enable Duo Code Review

Overview

As discussed in our latest weekly, a new feature to add custom instructions for GitLab Duo Code Review became available (check Slack announcement), and I thought this would be a good time for groupsecret detection to enable automatic reviews on all SD-related projects, and discuss any potential instructions we want to add.

Proposal

This can be done in two steps.

1️⃣ Enable GitLab Duo Code Review

Following the guidelines, and since I have maintainer access on the following projects, I will enable this for:

• security-products/analyzers/secrets
• security-products/secret-detection/secret-detection-service
• security-products/secret-detection/secret-detection-response-service
• security-products/secret-detection/secret-detection-rules

2️⃣ Discuss and Add Custom Instructions

Following that, and based on the discussion the team will have here, we could potentially add custom instructions for GitLab Duo Code Review to follow certain best practices and ensure consistent standards. See the documentation for some examples.

Prerequisite

At the moment, the custom instructions feature is behind a feature flag: duo_code_review_custom_instructions.

We have to enable this for all projects first by running the following in #production channel:

/chatops run feature set --project=gitlab-org/security-products/analyzers/secrets,gitlab-org/security-products/secret-detection/secret-detection-service,gitlab-org/security-products/secret-detection/secret-detection-response-service,gitlab-org/security-products/secret-detection/secret-detection-rules duo_code_review_custom_instructions true

cc/ @gitlab-org/secure/secret-detection and @abellucci