v4.0.0 Deprecations and moving script logic into the analyzer

What does this MR do?

This MR introduces two major breaking changes to the Secret Detection analyzer.

1. We are removing support for SECRET_DETECTION_COMMIT* options in favor of SECRET_DETECTION_LOG_OPTIONS which allow users everything that SECRET_DETECTION_COMMIT* support and more since SECRET_DETECTION_LOG_OPTIONS are git log options.

2. We are removing SECRET_DETECTION_ENTROPY. Setting an entropy value by itself is not useful. Users can configure their own custom rules if they want to fine tune entropy values for specific gitleaks rules.

3. Moves the git fetch logic previously in the template into the analyzer

Demo:

1. default branch: https://gitlab.com/zrice/historic-secrets/-/jobs/2397073835 (this runs a no-git scan)
2. commit range: https://gitlab.com/zrice/historic-secrets/-/jobs/2420305895
3. commit on new branch: https://gitlab.com/zrice/historic-secrets/-/jobs/2420264449 (1 commit scanned as intended)
4. full history scan: https://gitlab.com/zrice/historic-secrets/-/jobs/2420252295

The template used in these demos looks like: https://gitlab.com/zrice/historic-secrets/-/blob/master/.gitlab-ci.yml

variables:
  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
  SECRET_DETECTION_IMAGE_SUFFIX: ""
  SECURE_LOG_LEVEL: "debug"

  SECRETS_ANALYZER_VERSION: "3"
  SECRET_DETECTION_EXCLUDED_PATHS: ""

.secret-analyzer:
  stage: test
  image: registry.gitlab.com/gitlab-org/security-products/analyzers/secrets/tmp:de9ed260b5e1a8974cd082be64984403f3828c7f
  services: []
  allow_failure: true
  # `rules` must be overridden explicitly by each child job
  # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
  artifacts:
    reports:
      secret_detection: gl-secret-detection-report.json

secret_detection:
  extends: .secret-analyzer
  rules:
    - if: $SECRET_DETECTION_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH
  script:
    - /analyzer run

We update the vendored template once this MR is merged.

What are the relevant issue numbers?

gitlab-org/gitlab#350660 (closed) gitlab-org/gitlab#350573 (closed)

Does this MR meet the acceptance criteria?

• Changelog entry added
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer