diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 5a2d59fa502..113ee609299 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -484,6 +484,31 @@ stop-review-app: include: - template: Jobs/SAST.gitlab-ci.yml - template: Jobs/Dependency-Scanning.gitlab-ci.yml + - template: Security/Secret-Detection.gitlab-ci.yml + +secret_detection: + allow_failure: false + variables: + SECRET_DETECTION_LOG_OPTIONS: origin/${CI_EXTERNAL_PULL_REQUEST_TARGET_BRANCH_NAME}..HEAD + SECRET_DETECTION_REPORT_FILE: "gl-secret-detection-report.json" + rules: + - if: $SECRET_DETECTION_DISABLED + when: never + - if: '$CI_COMMIT_BRANCH || $CI_COMMIT_TAG' + before_script: + - apk add --no-cache jq + script: + - /analyzer run + # check if '{ "vulnerabilities": [], ..' is empty in the report file if it exists + - | + if [ -f "$SECRET_DETECTION_REPORT_FILE" ]; then + if [ "$(jq ".vulnerabilities | length" $SECRET_DETECTION_REPORT_FILE)" -gt 0 ]; then + echo "Vulnerabilities detected. Please analyze the artifact $SECRET_DETECTION_REPORT_FILE produced by the 'secret-detection' job." + exit 80 + fi + else + echo "Artifact $SECRET_DETECTION_REPORT_FILE does not exist. The 'secret-detection' job likely didn't create one. Hence, no evaluation can be performed." + fi .container_scan_template: interruptible: true diff --git a/config/application.yml.default b/config/application.yml.default index 7f73b595df0..00bceb4550f 100644 --- a/config/application.yml.default +++ b/config/application.yml.default @@ -478,6 +478,7 @@ production: second_mfa_reminder_enabled: false secret_key_base: seed_agreements_data: false + innocent_key: false session_encryption_key: skip_encryption_allowed_list: '["urn:gov:gsa:SAML:2.0.profiles:sp:sso:dev", "urn:gov:gsa:SAML:2.0.profiles:sp:sso:int"]' state_tracking_enabled: false diff --git a/test.key b/test.key new file mode 100644 index 00000000000..45624a52a13 --- /dev/null +++ b/test.key @@ -0,0 +1,38 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn +NhAAAAAwEAAQAAAYEAunYJKh8vggRgk1ZpbN1NpPTl11kE50sz6n1pvn3F3+VGIjQ3VfBE +rEAvgbJZTO7tj8ledsLcZJrN2u63LabuqSVy/rrkeGLyoQ1NnH3sJNbMAglmDtJJgYCbQk +1vH5vT32rmgx/D+vUwtGf5CyyrpKDKzKYV54KWQIFQQNpiL1sZkZmKmjIh+RO7YxLLQe5+ +aFNS3uHBGnfp5KW1PpV/9OoFVCWQLq7KfUr0j6JLcLUXpSaP7a1kDeLtxqbTyCUALB8PhG +ZbtIIhKgJ89fshn3I9PljvzIVAJlYqQ4XeXHIw/3PBXLi7avq5Z/FU4UhArIaAXOHA0pVI +NyI6jrhf6ik7J6dlJ6n+hEdIvA8KwlbsDQJWqP9Or1D5zrHh7K5Yx5p5XpTMP6uxV150Rp +yar+JxgQ5I8K7auMfHu2zQZlBP0NK9zkJkH/GdZ5Cti8uheBtwA8RtlH5AmS3AIySh90M9 +v2LdcPgpipkWtM9HGDeBuqiiZxzkKiJweS+ziZXfAAAFmAgdbFYIHWxWAAAAB3NzaC1yc2 +EAAAGBALp2CSofL4IEYJNWaWzdTaT05ddZBOdLM+p9ab59xd/lRiI0N1XwRKxAL4GyWUzu +7Y/JXnbC3GSazdruty2m7qklcv665Hhi8qENTZx97CTWzAIJZg7SSYGAm0JNbx+b099q5o +Mfw/r1MLRn+Qssq6SgysymFeeClkCBUEDaYi9bGZGZipoyIfkTu2MSy0HufmhTUt7hwRp3 +6eSltT6Vf/TqBVQlkC6uyn1K9I+iS3C1F6Umj+2tZA3i7cam08glACwfD4RmW7SCISoCfP +X7IZ9yPT5Y78yFQCZWKkOF3lxyMP9zwVy4u2r6uWfxVOFIQKyGgFzhwNKVSDciOo64X+op +OyenZSep/oRHSLwPCsJW7A0CVqj/Tq9Q+c6x4eyuWMeaeV6UzD+rsVdedEacmq/icYEOSP +Cu2rjHx7ts0GZQT9DSvc5CZB/xnWeQrYvLoXgbcAPEbZR+QJktwCMkofdDPb9i3XD4KYqZ +FrTPRxg3gbqoomcc5CoicHkvs4mV3wAAAAMBAAEAAAGBAIkJ0zZ38QyXdvsSWS0/gJ8ptf +qNXEM5TBCc16i++zzQXrkoszqf+Xi3O7MQhv055LL2hky2bhAqjfzH0SzmMSVzdo6sgNnR +rwyaoF3RVkrE6u7cRXvDJW7ePD2Ad5k9h3v+LyhTok/BAGi2uZxy2juGSUYbEqIxoYgLAh +aH6f1v8NzHgcxN6BYNYH0yBNySEalPA+r29Fslomr/NrOmYIJ5tCzh5pPItt1ax18BInzV +O2mPa9x8wLpL/AEx/xhrx/EiV39IxfTFFLaR6VeaiwaIDoPtB3Du1erRdE4b5VJLqG1mjY +ldo6YYZsTjZOMr1tDhn+OazAI/GGrxVGz3V5TbaNphwIiQvIqNfek7hjf1ofh1qI8sXGAY +CnPTlaZreKc7ocZrh5vP2k8n3pRaBlKKM6WJfOtXu0pbQPiyaoP6mJzNLJiHc5bCo8f4YU +X27fWwis3MK1zP4U1TO0ffvLDiACl4y1knWXyVtuIt9TlNyPMPN/Kq7Fa1hpztIDO6EQAA +AMBMSQUY1lGXoW3q5sTdYpXFkgzRPQvUEIpsCq4zlUpv05oY5HsGDSLIxY4QpQdmyMULk5 +Hx3eWHSx+N/gq8DWB+MltD3SZ2nurAlugvZc0F10Bs7ttvY7Jd/0t/C3lJAFW5fLnNkPJl +Pr3oRwC07XpJjFLWzmXhEf5Vdgu/jeMst45BGxoJvD5UISM6YrlxKqNKqqZIUpfjnkyJ/I +vYStMiJCQUDdlwxyH2vtmYnMDAdGjIUFG+UAGn/rx9P3plpOAAAADBAOUjx+MhMHNvo7PO +BTGO2sDwP/+0S2AxHHtmjBbyBFnsyR4cYSParG7ruUjpnXUL7ylUA9FEwNdVx7mPnz1+UF +fpTl3AAPOhB3DEN4nA38BRJLRDrhisXL256LvwJNagc44/O4REZ/e4c4EYAOz+PUcefzd0 +Bk4Pjk5S5NwgvWer3rEj8hXwDWqQAB4S6pxga6MhDAZhSerhByTrLL/CUWbrIUNony+rw9 +zIFKrGiG150pFAq2W6Mr3LedoNSxMqCwAAAMEA0FGEUW1zIBp3G159Aqligwgcn9BCmKoe +v3c3tERoHrpJJMA+2vTi3HzNhBkxeOyCV6pYYDqfSUl1Z0BQNyci/bZ4oE5LbxPP+PrEoB +2B2KmTRTANiGZbkha9VOKepF9C+d+DyWJgm0qeZMoVBOUinLtzwCFwOPUhsZw7J2R2oG8p +Yr986VX78EqAimLO3DLncZiwQe8xWUGP6VBRJbxeReuoz/2/J1Cy6oyg7Mls9XQEg/CrtC +pOg45eun9Gibv9AAAAHm1pdGNoZWxsZWhlbmtlQEZDT0gySi1ZSlI5VEpQMgECAwQ= +-----END OPENSSH PRIVATE KEY-----