Dogfood Secret Push Protection on internal GitLab projects
## Overview We'd like to dogfood [Secret Push Protection](https://docs.gitlab.com/ee/user/application_security/secret_detection/pre_receive/index.html) on a handful of internal projects before enabling this for our `.com` customers. This will increase our confidence in the stability, performance, and customer workflows for the Beta release of this feature. We plan to take a phased approach to dogfooding this feature internally to get some early feedback prior to enabling it on `.com` * :white_check_mark: [Phase 0](https://gitlab.com/gitlab-org/gitlab/-/issues/455909) (AKA prerequisites) * Test on staging.gitlab.com first. * Have an MR in progress describing the steps to enable/disable the feature. This will include the Feature Flags, as well as the Instance toggle. * No additional dashboards need to be set up before PHASE I. We can use the existing [Gitaly Latency dashboard for PreReceiveHook](https://dashboards.gitlab.net/d/PqeIQ9Iik/gitaly-feature-latency-detail?from=now-1h&orgId=1&refresh=5m&to=now&var-job=gitaly&var-method=PreReceiveHook) at this point. (But what Phase requires the additional dashboard?) * :white_check_mark: [Phase 1](https://gitlab.com/gitlab-org/gitlab/-/issues/455910) * Static Analysis/SD analyzers (group). * Expand to other analyzers (stage). * Expand to govern and VR projects (section). * :white_check_mark: [Phase 2](https://gitlab.com/gitlab-org/gitlab/-/issues/455911) * Collaboration with Appsec * :white_check_mark: [Phase 3](https://gitlab.com/gitlab-org/gitlab/-/issues/455913) * Enable for key GitLab projects * :white_check_mark: [Phase 4](https://gitlab.com/gitlab-org/gitlab/-/issues/464588) * Interested projects can self-enable * :white_check_mark: Collect feedback on Internal Dogfooding of Pre-receive SD * Going forward, for feedback, use https://gitlab.com/gitlab-org/gitlab/-/issues/467408+s This Epic will be used to: - brainstorm the requirements needed to begin dogfooding - serve as a place to gather interest from internal stakeholders who'd like to dogfood this feature - coordinate enablement of this feature on those projects ## Summary of Progress All phases are complete and outstanding feedback has either been addressed, or an appropriate follow-up issue created. Any new feedback should be added to https://gitlab.com/gitlab-org/gitlab/-/issues/467408+s Issues and MRs opened as a result of dogfooding: * https://gitlab.com/gitlab-org/gitlab/-/issues/455435+s * https://gitlab.com/gitlab-org/gitlab/-/issues/458784+s * https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151468+s * https://gitlab.com/gitlab-org/gitlab/-/issues/460952+s * https://gitlab.com/gitlab-org/gitlab/-/issues/461497+s * https://gitlab.com/gitlab-org/gitlab/-/issues/463537 Tables of projects dogfooded for each phase: * [Phase 1 projects](https://gitlab.com/gitlab-org/gitlab/-/issues/455910#feature-flag-status-for-select-projects ) * [Phase 2 projects](https://gitlab.com/gitlab-org/gitlab/-/issues/455911#feature-flag-status-for-select-projects ) * [Phase 3 projects](https://gitlab.com/gitlab-org/gitlab/-/issues/455913#feature-flag-status-for-select-projects ) ## Communication plan * [#whats-happening-at-gitlab](https://gitlab.enterprise.slack.com/archives/C0259241C) - Announce when testing is kicking off and when enabling for `gitlab-org/gitlab`. Announcement will include the general plan, and where to look for details * [#production](https://gitlab.enterprise.slack.com/archives/C101F3796) - Feature flag enablement/disablement will be done here * [#support_gitlab-com](https://gitlab.enterprise.slack.com/archives/C4XFU81LG) - Announce when significant enablements occur * [#g_secure-secret-detection](https://gitlab.enterprise.slack.com/archives/C06NY8LDMT2) - Announce when significant enablements occur * [#g_gitaly](https://gitlab.enterprise.slack.com/archives/C3ER3TQBT) - Announce when significant enablements occur * [#pre-receive-secret-detection](https://gitlab.enterprise.slack.com/archives/C05UL7U7HBK) - Announce any feature flag and setting enablement/disablement here ## Tasks - [x] Determine what's needed to begin dogfooding - [x] Identify which internal projects we should dogfood this feature on - [x] Monitor performance on projects that have this feature enabled and provide summary of results - [x] Gather feedback from anyone who dogfoods this feature (workflow improvements, documentation updates, bugs, etc.) ## Summary for dogfooding participants: * Your help is greatly appreciated * This should not be disruptive to your daily workflow * Caveat is that if you regularly make a habit of committing secrets, then it will be disruptive * The feature can easily and quickly be turned off for your repo through the `Secret push protection` section under `Secure -> Security Configuration`. Toggling the feature is limited to Maintainers, or above. * You don't need to do anything other than proceed as normal * But, feedback is always a gift and would be quite welcome in [this feedback issue](https://gitlab.com/gitlab-org/gitlab/-/issues/455914) ## Resources - [Secret push protection documentation](https://docs.gitlab.com/ee/user/application_security/secret_detection/pre_receive/index.html) - [Secret Detection runbooks](https://handbook.gitlab.com/handbook/engineering/development/sec/secure/secret-detection/runbooks/) _Note: `Secret Push Protection` was previously named `Pre-receive secret detection`. Noting this in case there are places this hasn't been renamed/replaced._
epic