Secret-Detection.gitlab-ci.yml 3.21 KB
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/secret_detection
#
# Configure the scanning tool through the environment variables.
# List of the variables: https://docs.gitlab.com/ee/user/application_security/secret_detection/#available-variables
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables

variables:
  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
  SECRETS_ANALYZER_VERSION: "3"
  SECRET_DETECTION_EXCLUDED_PATHS: ""

.secret-analyzer:
  stage: test
  image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION"
  services: []
  allow_failure: true
  variables:
    GIT_DEPTH: "50"
  # `rules` must be overridden explicitly by each child job
  # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
  artifacts:
    reports:
      secret_detection: gl-secret-detection-report.json

secret_detection:
  extends: .secret-analyzer
  rules:
    - if: $SECRET_DETECTION_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH
  script:
    - if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi
    # Historic scan
    - |
      if [ "$SECRET_DETECTION_HISTORIC_SCAN" == "true" ]
      then
        echo "historic scan"
        git fetch --unshallow origin $CI_COMMIT_REF_NAME
        /analyzer run
        exit
      fi
    # Default branch scan
    - if [ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit; fi
    # Push event
    - |
      if [ "$CI_COMMIT_BEFORE_SHA" == "0000000000000000000000000000000000000000" ];
      then
        # first commit on a new branch
        echo ${CI_COMMIT_SHA} >${CI_COMMIT_SHA}_commit_list.txt
        git fetch --depth=2 origin $CI_COMMIT_REF_NAME
      else
        # determine commit range so that we can fetch the appropriate depth
        set +e # ignore exit on failure
        git log --no-merges --pretty=format:"%H" ${CI_COMMIT_BEFORE_SHA}..${CI_COMMIT_SHA} >${CI_COMMIT_SHA}_commit_list.txt

        # check the exit code of the previous command to determine if we need to limit the commit_list.txt to CI_COMMIT_SHA.
        if [ $? -ne 0 ];
        then
          echo "unable to determine commit range, limiting to ${CI_COMMIT_SHA}"
          echo ${CI_COMMIT_SHA} >${CI_COMMIT_SHA}_commit_list.txt
        else
          # append newline to to list since `git log` does not end with a
          # newline, this is to keep the log messages consistent
          echo >> ${CI_COMMIT_SHA}_commit_list.txt
        fi

        # re-enable exit on failure
        set -e

        # we need to extend the git fetch depth to the number of commits + 1 for the following reasons:
        # to include the parent commit of the base commit in this MR/Push event. This is needed because
        # `git diff -p` needs something to compare changes in that commit against
        git fetch --depth=$(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 1)) origin $CI_COMMIT_REF_NAME
      fi
      echo "scanning $(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt))) commits for a push event"
      export SECRET_DETECTION_COMMITS_FILE=${CI_COMMIT_SHA}_commit_list.txt
    - /analyzer run
    - rm "$CI_COMMIT_SHA"_commit_list.txt