LG-11122 add gitlab secret scanning#9296
Merged
soniaconnolly merged 4 commits intomainfrom Oct 4, 2023
Merged
Conversation
changelog: Internal, Continuous Integration, Add secret scanning job
soniaconnolly
requested review from
jmhooper,
mitchellhenke,
timothy-spencer and
zachmargolis
zachmargolis
approved these changes
Oct 2, 2023
| if [ -f "$SECRET_DETECTION_REPORT_FILE" ]; then | ||
| if [ "$(jq ".vulnerabilities | length" $SECRET_DETECTION_REPORT_FILE)" -gt 0 ]; then | ||
| echo "Vulnerabilities detected. Please analyze the artifact $SECRET_DETECTION_REPORT_FILE produced by the 'secret-detection' job." | ||
| exit 80 |
Contributor
There was a problem hiding this comment.
Q: is the 80 relevant or can it be any non-zero exit code?
Contributor
Author
There was a problem hiding this comment.
I don't know, @mitchellhenke did this part.
Contributor
Author
There was a problem hiding this comment.
This was actually copied from this forum post. As far as I can tell, Gitlab fails on any non-zero exit code, like you said. Would you like me to change it, or add a comment?
This was referenced Oct 2, 2023
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🎫 Ticket
LG-11122
🛠 Summary of changes
We want to be clearly notified if sensitive information is accidentally pushed to a Github branch. This enables Secret Detection in Gitlab and will fail the build if the branch contains a secret. PR #9273 has these same commits with a demo "secret".
Note that this is not foolproof because it won't necessarily scan all commits in a newly pushed branch. And we still need to take mitigation measures if a secret is pushed up to Github, even briefly.
The detected secrets don't show up in the Gitlab Security tab, possibly because the job fails, since they did show up when the job succeeds but detects a secret (from @mitchellhenke's original PR implementing this).