Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
9a1dbbad
Commit
9a1dbbad
authored
Jan 20, 2022
by
Zach Rice
Committed by
Marcel Amirault
Jan 20, 2022
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Update secret detection template to be more robust
Changelog: changed
parent
f43c7bfd
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
17 additions
and
10 deletions
+17
-10
lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
+17
-10
No files found.
lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
View file @
9a1dbbad
...
@@ -32,15 +32,22 @@ secret_detection:
...
@@ -32,15 +32,22 @@ secret_detection:
-
if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi
-
if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi
-
if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi
-
if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi
-
|
-
|
git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME
# we don't need the whole history when excluding in the next `git fetch` line,
git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/${CI_DEFAULT_BRANCH}..refs/remotes/origin/${CI_COMMIT_REF_NAME} >${CI_COMMIT_SHA}_commit_list.txt
# so git depth=1
if [[ $(wc -l <${CI_COMMIT_SHA}_commit_list.txt) -eq "0" ]]; then
git fetch origin --depth=1 $CI_DEFAULT_BRANCH
# if git log produces 0 or 1 commits we should scan $CI_COMMIT_SHA only
# shallow clone $CI_COMMIT_REF_NAME to get commits associated with MR or push
export SECRET_DETECTION_COMMITS=$CI_COMMIT_SHA
git fetch --shallow-exclude=${CI_DEFAULT_BRANCH} origin $CI_COMMIT_REF_NAME
else
# determine what commits we need to scan using "git log A..B"
# +1 because busybox wc only counts \n and there is no trailing \n
git log --no-merges --pretty=format:"%H" refs/remotes/origin/${CI_DEFAULT_BRANCH}..refs/remotes/origin/${CI_COMMIT_REF_NAME} >${CI_COMMIT_SHA}_commit_list.txt
echo "scanning $(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 1)) commits"
export SECRET_DETECTION_COMMITS_FILE=${CI_COMMIT_SHA}_commit_list.txt
# we need to extend the git fetch depth to the number of commits + 2 for the following reasons:
fi
# because busybox wc only counts \n and there is no trailing \n (+1)
# include the parent commit of the base commit in this MR/Push event. This is needed because
# `git diff -p` needs something to compare changes in that commit against (+1)
git fetch --depth=$(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 2)) origin $CI_COMMIT_REF_NAME
# +1 because busybox wc only counts \n and there is no trailing \n
echo "scanning $(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 1)) commits"
export SECRET_DETECTION_COMMITS_FILE=${CI_COMMIT_SHA}_commit_list.txt
-
/analyzer run
-
/analyzer run
-
rm "$CI_COMMIT_SHA"_commit_list.txt
-
rm "$CI_COMMIT_SHA"_commit_list.txt
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment