Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
7c0576b5
Commit
7c0576b5
authored
Jan 11, 2022
by
Zach Rice
Committed by
Mark Chao
Jan 11, 2022
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Update secret-detection git log command
Changelog: changed
parent
e3d7c020
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
14 additions
and
23 deletions
+14
-23
ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
.../config/security_orchestration_policies/processor_spec.rb
+2
-11
ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb
...y_orchestration_policies/ci_configuration_service_spec.rb
+1
-9
lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
+11
-3
No files found.
ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
View file @
7c0576b5
...
...
@@ -136,16 +136,8 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
it_behaves_like
'with different scan type'
do
let
(
:expected_configuration
)
do
{
'secret-detection-0'
:
{
'secret-detection-0'
:
hash_including
(
rules:
[{
if:
'$SECRET_DETECTION_DISABLED'
,
when:
'never'
},
{
if:
'$CI_COMMIT_BRANCH'
}],
script:
[
'if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi'
,
'if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi'
,
'git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME'
,
'git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_COMMIT_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt'
,
'export SECRET_DETECTION_COMMITS_FILE="$CI_COMMIT_SHA"_commit_list.txt'
,
'/analyzer run'
,
'rm "$CI_COMMIT_SHA"_commit_list.txt'
],
stage:
'test'
,
image:
'$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION'
,
services:
[],
...
...
@@ -160,8 +152,7 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
SECRETS_ANALYZER_VERSION
:
'3'
,
SECRET_DETECTION_EXCLUDED_PATHS
:
''
,
SECRET_DETECTION_HISTORIC_SCAN
:
'false'
}
}
})
}
end
end
...
...
ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb
View file @
7c0576b5
...
...
@@ -29,14 +29,6 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d
it
'returns prepared CI configuration with Secret Detection scans'
do
expected_configuration
=
{
rules:
[{
if:
'$SECRET_DETECTION_DISABLED'
,
when:
'never'
},
{
if:
'$CI_COMMIT_BRANCH'
}],
script:
[
'if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi'
,
'if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi'
,
'git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME'
,
'git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_COMMIT_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt'
,
'export SECRET_DETECTION_COMMITS_FILE="$CI_COMMIT_SHA"_commit_list.txt'
,
'/analyzer run'
,
'rm "$CI_COMMIT_SHA"_commit_list.txt'
],
stage:
'test'
,
image:
'$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION'
,
services:
[],
...
...
@@ -54,7 +46,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d
}
}
expect
(
subject
.
deep_symbolize_keys
).
to
eq
(
expected_configuration
)
expect
(
subject
.
deep_symbolize_keys
).
to
include
(
expected_configuration
)
end
end
...
...
lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
View file @
7c0576b5
...
...
@@ -29,8 +29,16 @@ secret_detection:
script
:
-
if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi
-
if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi
-
git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME
-
git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_COMMIT_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt
-
export SECRET_DETECTION_COMMITS_FILE="$CI_COMMIT_SHA"_commit_list.txt
-
|
git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME
git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/${CI_DEFAULT_BRANCH}..refs/remotes/origin/${CI_COMMIT_REF_NAME} >${CI_COMMIT_SHA}_commit_list.txt
if [[ $(wc -l <${CI_COMMIT_SHA}_commit_list.txt) -eq "0" ]]; then
# if git log produces 0 or 1 commits we should scan $CI_COMMIT_SHA only
export SECRET_DETECTION_COMMITS=$CI_COMMIT_SHA
else
# +1 because busybox wc only counts \n and there is no trailing \n
echo "scanning $(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 1)) commits"
export SECRET_DETECTION_COMMITS_FILE=${CI_COMMIT_SHA}_commit_list.txt
fi
-
/analyzer run
-
rm "$CI_COMMIT_SHA"_commit_list.txt
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment