v4.0.0 Deprecations and moving script logic into the analyzer
What does this MR do?
This MR introduces two major breaking changes to the Secret Detection analyzer.
-
We are removing support for
SECRET_DETECTION_COMMIT*
options in favor ofSECRET_DETECTION_LOG_OPTIONS
which allow users everything thatSECRET_DETECTION_COMMIT*
support and more sinceSECRET_DETECTION_LOG_OPTIONS
aregit log
options. -
We are removing
SECRET_DETECTION_ENTROPY
. Setting an entropy value by itself is not useful. Users can configure their own custom rules if they want to fine tune entropy values for specific gitleaks rules. -
Moves the
git fetch
logic previously in the template into the analyzer
Demo:
-
default branch
: https://gitlab.com/zrice/historic-secrets/-/jobs/2397073835 (this runs a no-git scan) -
commit range
: https://gitlab.com/zrice/historic-secrets/-/jobs/2420305895 -
commit on new branch
: https://gitlab.com/zrice/historic-secrets/-/jobs/2420264449 (1 commit scanned as intended) -
full history scan
: https://gitlab.com/zrice/historic-secrets/-/jobs/2420252295
The template used in these demos looks like: https://gitlab.com/zrice/historic-secrets/-/blob/master/.gitlab-ci.yml
variables:
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
SECRET_DETECTION_IMAGE_SUFFIX: ""
SECURE_LOG_LEVEL: "debug"
SECRETS_ANALYZER_VERSION: "3"
SECRET_DETECTION_EXCLUDED_PATHS: ""
.secret-analyzer:
stage: test
image: registry.gitlab.com/gitlab-org/security-products/analyzers/secrets/tmp:de9ed260b5e1a8974cd082be64984403f3828c7f
services: []
allow_failure: true
# `rules` must be overridden explicitly by each child job
# see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
artifacts:
reports:
secret_detection: gl-secret-detection-report.json
secret_detection:
extends: .secret-analyzer
rules:
- if: $SECRET_DETECTION_DISABLED
when: never
- if: $CI_COMMIT_BRANCH
script:
- /analyzer run
We update the vendored template once this MR is merged.
What are the relevant issue numbers?
gitlab-org/gitlab#350660 (closed) gitlab-org/gitlab#350573 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer