Skip to content

Draft: Add Tracking info in the Secret Detection Report

Vishwa Bhat requested to merge vbhat/tracking-signature into master

What does this MR do?

Context

Whenever a Secret Detection finding is created for a secret and if the same secret moves within the file, a new finding gets created along with the previous one, ending up with two findings pointing at the same secret. The new findings continue to be generated until the secret is remediated. So, we decided to solve the problem following the footsteps of SAST (which faced the same problem earlier) i.e., by introducing a tracking signature in the final report and the Rails monolith will use the signature during CI builds to determine if the new findings should be created or refer to the existing findings. For more details, refer to the linked issue.

This MR addresses part of the solution by introducing the tracking information in the Secret Detection report(tracking field). The tracking information primarily uses an algorithm, which combines Filename, Rule ID, and Secret value to generate a unique signature independent of the location of the secret.

NOTE: The linked dependent MR must be merged before this MR.

What are the relevant issue numbers?

Track Secret Detection findings by filename and... (gitlab-org/gitlab#434096 - closed)

Does this MR meet the acceptance criteria?

Edited by Lucas Charles

Merge request reports