Dogfood Secret Push Protection on internal GitLab projects
## Overview
We'd like to dogfood [Secret Push Protection](https://docs.gitlab.com/ee/user/application_security/secret_detection/pre_receive/index.html) on a handful of internal projects before enabling this for our `.com` customers. This will increase our confidence in the stability, performance, and customer workflows for the Beta release of this feature.
We plan to take a phased approach to dogfooding this feature internally to get some early feedback prior to enabling it on `.com`
* :white_check_mark: [Phase 0](https://gitlab.com/gitlab-org/gitlab/-/issues/455909) (AKA prerequisites)
* Test on staging.gitlab.com first.
* Have an MR in progress describing the steps to enable/disable the feature. This will include the Feature Flags, as well as the Instance toggle.
* No additional dashboards need to be set up before PHASE I. We can use the existing [Gitaly Latency dashboard for PreReceiveHook](https://dashboards.gitlab.net/d/PqeIQ9Iik/gitaly-feature-latency-detail?from=now-1h&orgId=1&refresh=5m&to=now&var-job=gitaly&var-method=PreReceiveHook) at this point. (But what Phase requires the additional dashboard?)
* :white_check_mark: [Phase 1](https://gitlab.com/gitlab-org/gitlab/-/issues/455910)
* Static Analysis/SD analyzers (group).
* Expand to other analyzers (stage).
* Expand to govern and VR projects (section).
* :white_check_mark: [Phase 2](https://gitlab.com/gitlab-org/gitlab/-/issues/455911)
* Collaboration with Appsec
* :white_check_mark: [Phase 3](https://gitlab.com/gitlab-org/gitlab/-/issues/455913)
* Enable for key GitLab projects
* :white_check_mark: [Phase 4](https://gitlab.com/gitlab-org/gitlab/-/issues/464588)
* Interested projects can self-enable
* :white_check_mark: Collect feedback on Internal Dogfooding of Pre-receive SD
* Going forward, for feedback, use https://gitlab.com/gitlab-org/gitlab/-/issues/467408+s
This Epic will be used to:
- brainstorm the requirements needed to begin dogfooding
- serve as a place to gather interest from internal stakeholders who'd like to dogfood this feature
- coordinate enablement of this feature on those projects
## Summary of Progress
All phases are complete and outstanding feedback has either been addressed, or an appropriate follow-up issue created.
Any new feedback should be added to https://gitlab.com/gitlab-org/gitlab/-/issues/467408+s
Issues and MRs opened as a result of dogfooding:
* https://gitlab.com/gitlab-org/gitlab/-/issues/455435+s
* https://gitlab.com/gitlab-org/gitlab/-/issues/458784+s
* https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151468+s
* https://gitlab.com/gitlab-org/gitlab/-/issues/460952+s
* https://gitlab.com/gitlab-org/gitlab/-/issues/461497+s
* https://gitlab.com/gitlab-org/gitlab/-/issues/463537
Tables of projects dogfooded for each phase:
* [Phase 1 projects](https://gitlab.com/gitlab-org/gitlab/-/issues/455910#feature-flag-status-for-select-projects )
* [Phase 2 projects](https://gitlab.com/gitlab-org/gitlab/-/issues/455911#feature-flag-status-for-select-projects )
* [Phase 3 projects](https://gitlab.com/gitlab-org/gitlab/-/issues/455913#feature-flag-status-for-select-projects )
## Communication plan
* [#whats-happening-at-gitlab](https://gitlab.enterprise.slack.com/archives/C0259241C) - Announce when testing is kicking off and when enabling for `gitlab-org/gitlab`. Announcement will include the general plan, and where to look for details
* [#production](https://gitlab.enterprise.slack.com/archives/C101F3796) - Feature flag enablement/disablement will be done here
* [#support_gitlab-com](https://gitlab.enterprise.slack.com/archives/C4XFU81LG) - Announce when significant enablements occur
* [#g_secure-secret-detection](https://gitlab.enterprise.slack.com/archives/C06NY8LDMT2) - Announce when significant enablements occur
* [#g_gitaly](https://gitlab.enterprise.slack.com/archives/C3ER3TQBT) - Announce when significant enablements occur
* [#pre-receive-secret-detection](https://gitlab.enterprise.slack.com/archives/C05UL7U7HBK) - Announce any feature flag and setting enablement/disablement here
## Tasks
- [x] Determine what's needed to begin dogfooding
- [x] Identify which internal projects we should dogfood this feature on
- [x] Monitor performance on projects that have this feature enabled and provide summary of results
- [x] Gather feedback from anyone who dogfoods this feature (workflow improvements, documentation updates, bugs, etc.)
## Summary for dogfooding participants:
* Your help is greatly appreciated
* This should not be disruptive to your daily workflow
* Caveat is that if you regularly make a habit of committing secrets, then it will be disruptive
* The feature can easily and quickly be turned off for your repo through the `Secret push protection` section under `Secure -> Security Configuration`. Toggling the feature is limited to Maintainers, or above.
* You don't need to do anything other than proceed as normal
* But, feedback is always a gift and would be quite welcome in [this feedback issue](https://gitlab.com/gitlab-org/gitlab/-/issues/455914)
## Resources
- [Secret push protection documentation](https://docs.gitlab.com/ee/user/application_security/secret_detection/pre_receive/index.html)
- [Secret Detection runbooks](https://handbook.gitlab.com/handbook/engineering/development/sec/secure/secret-detection/runbooks/)
_Note: `Secret Push Protection` was previously named `Pre-receive secret detection`. Noting this in case there are places this hasn't been renamed/replaced._
epic