Support MR pipelines
What does this MR do?
Utilises the CI_MERGE_REQUEST_DIFF_BASE_SHA
predefined CI variable that's available for use in Merge request pipelines to scan the correct commit range when the analyser executes in an MR. We're able to leverage these kinds of pipelines for secret detection because of this addition to the latest
vendored template. Note: this change only comes into effect when the customer uses the latest
template.
Also simplifies the description of secret findings, by dropping the "Historic " prefix and truncating the commit SHA to 8 characters.
The MR also refactors the code responsible for preparing the target Git repository for scanning. Preparation typically involves fetching an expanded commit range, since the CI runner will perform a shallow checkout of the repository. The refactor introduces a light abstraction in the repoPrepper
interface, which attempts to encapsulate the various git fetch
operations that are performed on the repo. This interface also enables us to add unit tests with a mock struct, without resorting to monkey patching exec.Command. Mocking is performed via the testify mock package (see this tutorial for more information).
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer