Skip to content

add gitlab secret scanning #9291

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
soniaconnolly wants to merge 7 commits into from
Closed

add gitlab secret scanning #9291

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
44ea828
Add secret scanning job
Sep 27, 2023
453f4a5
dangerous key
Sep 27, 2023
01bf2e7
safe key
Sep 27, 2023
a9336b3
check all commits since target branch
Sep 27, 2023
93d3b9d
Add SECRET_DETECTION_REPORT_FILE
soniaconnolly Sep 29, 2023
b32cf41
Merge remote-tracking branch 'origin/main' into mitchellhenke/add-git…
soniaconnolly Sep 29, 2023
f27d74d
Analyze secret_detection file to make job fail if there are vulnerabi…
soniaconnolly Sep 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions .gitlab-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -484,6 +484,31 @@ stop-review-app:
include:
- template: Jobs/SAST.gitlab-ci.yml
- template: Jobs/Dependency-Scanning.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml

secret_detection:
allow_failure: false
variables:
SECRET_DETECTION_LOG_OPTIONS: origin/${CI_EXTERNAL_PULL_REQUEST_TARGET_BRANCH_NAME}..HEAD
SECRET_DETECTION_REPORT_FILE: "gl-secret-detection-report.json"
rules:
- if: $SECRET_DETECTION_DISABLED
when: never
- if: '$CI_COMMIT_BRANCH || $CI_COMMIT_TAG'
before_script:
- apk add --no-cache jq
script:
- /analyzer run
# check if '{ "vulnerabilities": [], ..' is empty in the report file if it exists
- |
if [ -f "$SECRET_DETECTION_REPORT_FILE" ]; then
if [ "$(jq ".vulnerabilities | length" $SECRET_DETECTION_REPORT_FILE)" -gt 0 ]; then
echo "Vulnerabilities detected. Please analyze the artifact $SECRET_DETECTION_REPORT_FILE produced by the 'secret-detection' job."
exit 80
fi
else
echo "Artifact $SECRET_DETECTION_REPORT_FILE does not exist. The 'secret-detection' job likely didn't create one. Hence, no evaluation can be performed."
fi

.container_scan_template:
interruptible: true
Expand Down
1 change: 1 addition & 0 deletions config/application.yml.default
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -478,6 +478,7 @@ production:
second_mfa_reminder_enabled: false
secret_key_base:
seed_agreements_data: false
innocent_key: false
session_encryption_key:
skip_encryption_allowed_list: '["urn:gov:gsa:SAML:2.0.profiles:sp:sso:dev", "urn:gov:gsa:SAML:2.0.profiles:sp:sso:int"]'
state_tracking_enabled: false
Expand Down
38 changes: 38 additions & 0 deletions test.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAunYJKh8vggRgk1ZpbN1NpPTl11kE50sz6n1pvn3F3+VGIjQ3VfBE
rEAvgbJZTO7tj8ledsLcZJrN2u63LabuqSVy/rrkeGLyoQ1NnH3sJNbMAglmDtJJgYCbQk
1vH5vT32rmgx/D+vUwtGf5CyyrpKDKzKYV54KWQIFQQNpiL1sZkZmKmjIh+RO7YxLLQe5+
aFNS3uHBGnfp5KW1PpV/9OoFVCWQLq7KfUr0j6JLcLUXpSaP7a1kDeLtxqbTyCUALB8PhG
ZbtIIhKgJ89fshn3I9PljvzIVAJlYqQ4XeXHIw/3PBXLi7avq5Z/FU4UhArIaAXOHA0pVI
NyI6jrhf6ik7J6dlJ6n+hEdIvA8KwlbsDQJWqP9Or1D5zrHh7K5Yx5p5XpTMP6uxV150Rp
yar+JxgQ5I8K7auMfHu2zQZlBP0NK9zkJkH/GdZ5Cti8uheBtwA8RtlH5AmS3AIySh90M9
v2LdcPgpipkWtM9HGDeBuqiiZxzkKiJweS+ziZXfAAAFmAgdbFYIHWxWAAAAB3NzaC1yc2
EAAAGBALp2CSofL4IEYJNWaWzdTaT05ddZBOdLM+p9ab59xd/lRiI0N1XwRKxAL4GyWUzu
7Y/JXnbC3GSazdruty2m7qklcv665Hhi8qENTZx97CTWzAIJZg7SSYGAm0JNbx+b099q5o
Mfw/r1MLRn+Qssq6SgysymFeeClkCBUEDaYi9bGZGZipoyIfkTu2MSy0HufmhTUt7hwRp3
6eSltT6Vf/TqBVQlkC6uyn1K9I+iS3C1F6Umj+2tZA3i7cam08glACwfD4RmW7SCISoCfP
X7IZ9yPT5Y78yFQCZWKkOF3lxyMP9zwVy4u2r6uWfxVOFIQKyGgFzhwNKVSDciOo64X+op
OyenZSep/oRHSLwPCsJW7A0CVqj/Tq9Q+c6x4eyuWMeaeV6UzD+rsVdedEacmq/icYEOSP
Cu2rjHx7ts0GZQT9DSvc5CZB/xnWeQrYvLoXgbcAPEbZR+QJktwCMkofdDPb9i3XD4KYqZ
FrTPRxg3gbqoomcc5CoicHkvs4mV3wAAAAMBAAEAAAGBAIkJ0zZ38QyXdvsSWS0/gJ8ptf
qNXEM5TBCc16i++zzQXrkoszqf+Xi3O7MQhv055LL2hky2bhAqjfzH0SzmMSVzdo6sgNnR
rwyaoF3RVkrE6u7cRXvDJW7ePD2Ad5k9h3v+LyhTok/BAGi2uZxy2juGSUYbEqIxoYgLAh
aH6f1v8NzHgcxN6BYNYH0yBNySEalPA+r29Fslomr/NrOmYIJ5tCzh5pPItt1ax18BInzV
O2mPa9x8wLpL/AEx/xhrx/EiV39IxfTFFLaR6VeaiwaIDoPtB3Du1erRdE4b5VJLqG1mjY
ldo6YYZsTjZOMr1tDhn+OazAI/GGrxVGz3V5TbaNphwIiQvIqNfek7hjf1ofh1qI8sXGAY
CnPTlaZreKc7ocZrh5vP2k8n3pRaBlKKM6WJfOtXu0pbQPiyaoP6mJzNLJiHc5bCo8f4YU
X27fWwis3MK1zP4U1TO0ffvLDiACl4y1knWXyVtuIt9TlNyPMPN/Kq7Fa1hpztIDO6EQAA
AMBMSQUY1lGXoW3q5sTdYpXFkgzRPQvUEIpsCq4zlUpv05oY5HsGDSLIxY4QpQdmyMULk5
Hx3eWHSx+N/gq8DWB+MltD3SZ2nurAlugvZc0F10Bs7ttvY7Jd/0t/C3lJAFW5fLnNkPJl
Pr3oRwC07XpJjFLWzmXhEf5Vdgu/jeMst45BGxoJvD5UISM6YrlxKqNKqqZIUpfjnkyJ/I
vYStMiJCQUDdlwxyH2vtmYnMDAdGjIUFG+UAGn/rx9P3plpOAAAADBAOUjx+MhMHNvo7PO
BTGO2sDwP/+0S2AxHHtmjBbyBFnsyR4cYSParG7ruUjpnXUL7ylUA9FEwNdVx7mPnz1+UF
fpTl3AAPOhB3DEN4nA38BRJLRDrhisXL256LvwJNagc44/O4REZ/e4c4EYAOz+PUcefzd0
Bk4Pjk5S5NwgvWer3rEj8hXwDWqQAB4S6pxga6MhDAZhSerhByTrLL/CUWbrIUNony+rw9
zIFKrGiG150pFAq2W6Mr3LedoNSxMqCwAAAMEA0FGEUW1zIBp3G159Aqligwgcn9BCmKoe
v3c3tERoHrpJJMA+2vTi3HzNhBkxeOyCV6pYYDqfSUl1Z0BQNyci/bZ4oE5LbxPP+PrEoB
2B2KmTRTANiGZbkha9VOKepF9C+d+DyWJgm0qeZMoVBOUinLtzwCFwOPUhsZw7J2R2oG8p
Yr986VX78EqAimLO3DLncZiwQe8xWUGP6VBRJbxeReuoz/2/J1Cy6oyg7Mls9XQEg/CrtC
pOg45eun9Gibv9AAAAHm1pdGNoZWxsZWhlbmtlQEZDT0gySi1ZSlI5VEpQMgECAwQ=
-----END OPENSSH PRIVATE KEY-----