Commit 9a1dbbad authored by Zach Rice's avatar Zach Rice Committed by Marcel Amirault

Update secret detection template to be more robust

Changelog: changed
parent f43c7bfd
...@@ -32,15 +32,22 @@ secret_detection: ...@@ -32,15 +32,22 @@ secret_detection:
- if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi - if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi
- if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi - if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi
- | - |
git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME # we don't need the whole history when excluding in the next `git fetch` line,
git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/${CI_DEFAULT_BRANCH}..refs/remotes/origin/${CI_COMMIT_REF_NAME} >${CI_COMMIT_SHA}_commit_list.txt # so git depth=1
if [[ $(wc -l <${CI_COMMIT_SHA}_commit_list.txt) -eq "0" ]]; then git fetch origin --depth=1 $CI_DEFAULT_BRANCH
# if git log produces 0 or 1 commits we should scan $CI_COMMIT_SHA only # shallow clone $CI_COMMIT_REF_NAME to get commits associated with MR or push
export SECRET_DETECTION_COMMITS=$CI_COMMIT_SHA git fetch --shallow-exclude=${CI_DEFAULT_BRANCH} origin $CI_COMMIT_REF_NAME
else # determine what commits we need to scan using "git log A..B"
# +1 because busybox wc only counts \n and there is no trailing \n git log --no-merges --pretty=format:"%H" refs/remotes/origin/${CI_DEFAULT_BRANCH}..refs/remotes/origin/${CI_COMMIT_REF_NAME} >${CI_COMMIT_SHA}_commit_list.txt
echo "scanning $(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 1)) commits"
export SECRET_DETECTION_COMMITS_FILE=${CI_COMMIT_SHA}_commit_list.txt # we need to extend the git fetch depth to the number of commits + 2 for the following reasons:
fi # because busybox wc only counts \n and there is no trailing \n (+1)
# include the parent commit of the base commit in this MR/Push event. This is needed because
# `git diff -p` needs something to compare changes in that commit against (+1)
git fetch --depth=$(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 2)) origin $CI_COMMIT_REF_NAME
# +1 because busybox wc only counts \n and there is no trailing \n
echo "scanning $(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 1)) commits"
export SECRET_DETECTION_COMMITS_FILE=${CI_COMMIT_SHA}_commit_list.txt
- /analyzer run - /analyzer run
- rm "$CI_COMMIT_SHA"_commit_list.txt - rm "$CI_COMMIT_SHA"_commit_list.txt
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment