Add MySQL password detection to Secret Detection

Michael Wagerrequested to merge
add-mysql-password-detection into master

What does this MR do?

This MR adds MySQL password detection patterns to GitLab's Secret Detection scanner to catch common MySQL passwords in database setup scripts and configuration files.

Related Issue

Closes gitlab-org/gitlab#408723

What patterns are added?

This MR adds three new detection rules to config/gitleaks.toml:

  1. mysql-password-flag: Detects MySQL command-line password flags

    • Examples: -p password, --password=secret, mysql -pMyPass123

  2. mysql-root-password: Detects root_password declarations

    • Examples: root_password: secret123, root_password=MyPass

  3. mysql-identified-by: Detects MySQL IDENTIFIED BY statements

    • Examples: IDENTIFIED BY 'password123', IDENTIFIED BY "secret"

Testing

You can test this with a sample MySQL script like:

-- This should be detected
CREATE USER 'user'@'localhost' IDENTIFIED BY 'password123';
ALTER USER 'root'@'localhost' IDENTIFIED BY 'MySecretPass';

Or command-line examples:

mysql -u root -pMyPassword
mysql --password=secret123

Checklist

  • Added MySQL password detection patterns
  • Patterns follow gitleaks TOML format
  • Referenced the original issue
  • Added security changelog entry

Security Impact

This improves GitLab's Secret Detection capabilities by catching MySQL passwords that were previously undetected, helping users avoid accidentally committing database credentials to their repositories.

Merge request reports