debian-mirror-gitlab/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml

# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/secret_detection
#
# Configure the scanning tool through the environment variables.
# List of the variables: https://docs.gitlab.com/ee/user/application_security/secret_detection/#available-variables
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables

variables:
  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
  SECRETS_ANALYZER_VERSION: "3"
  SECRET_DETECTION_EXCLUDED_PATHS: ""

.secret-analyzer:
  stage: test
  image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION"
  services: []
  allow_failure: true
  variables:
    GIT_DEPTH: "50"
  # `rules` must be overridden explicitly by each child job
  # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
  artifacts:
    reports:
      secret_detection: gl-secret-detection-report.json

secret_detection:
  extends: .secret-analyzer
  rules:
    - if: $SECRET_DETECTION_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH
  script:
    - if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi
    - if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi
    - |
      # we don't need the whole history when excluding in the next `git fetch` line,
      # so git depth=1
      git fetch origin --depth=1 $CI_DEFAULT_BRANCH
      # shallow clone $CI_COMMIT_REF_NAME to get commits associated with MR or push
      git fetch --shallow-exclude=${CI_DEFAULT_BRANCH} origin $CI_COMMIT_REF_NAME
      # determine what commits we need to scan using "git log A..B"
      git log --no-merges --pretty=format:"%H" refs/remotes/origin/${CI_DEFAULT_BRANCH}..refs/remotes/origin/${CI_COMMIT_REF_NAME} >${CI_COMMIT_SHA}_commit_list.txt

      # we need to extend the git fetch depth to the number of commits + 2 for the following reasons:
      # because busybox wc only counts \n and there is no trailing \n (+1)
      # include the parent commit of the base commit in this MR/Push event. This is needed because
      # `git diff -p` needs something to compare changes in that commit against (+1)
      git fetch --depth=$(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 2)) origin $CI_COMMIT_REF_NAME

      # +1 because busybox wc only counts \n and there is no trailing \n
      echo "scanning $(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 1)) commits"
      export SECRET_DETECTION_COMMITS_FILE=${CI_COMMIT_SHA}_commit_list.txt
    - /analyzer run
    - rm "$CI_COMMIT_SHA"_commit_list.txt
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			`# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/secret_detection`
			`#`
			`# Configure the scanning tool through the environment variables.`
			`# List of the variables: https://docs.gitlab.com/ee/user/application_security/secret_detection/#available-variables`
			`# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables`

			`variables:`
			`SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"`
			`SECRETS_ANALYZER_VERSION: "3"`
			`SECRET_DETECTION_EXCLUDED_PATHS: ""`

			`.secret-analyzer:`
			`stage: test`
			`image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION"`
			`services: []`
			`allow_failure: true`
New upstream version 14.7.4+ds1 2022-03-02 08:16:31 +05:30			`variables:`
			`GIT_DEPTH: "50"`
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			# `rules` must be overridden explicitly by each child job
			`# see https://gitlab.com/gitlab-org/gitlab/-/issues/218444`
			`artifacts:`
			`reports:`
			`secret_detection: gl-secret-detection-report.json`

			`secret_detection:`
			`extends: .secret-analyzer`
			`rules:`
			`- if: $SECRET_DETECTION_DISABLED`
			`when: never`
			`- if: $CI_COMMIT_BRANCH`
			`script:`
New upstream version 14.2.5+ds1 2021-10-27 15:23:28 +05:30			`- if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi`
			`- if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi`
New upstream version 14.7.4+ds1 2022-03-02 08:16:31 +05:30			`- \|`
New upstream version 14.8.5+ds1 2022-04-04 11:22:00 +05:30			# we don't need the whole history when excluding in the next `git fetch` line,
			`# so git depth=1`
			`git fetch origin --depth=1 $CI_DEFAULT_BRANCH`
			`# shallow clone $CI_COMMIT_REF_NAME to get commits associated with MR or push`
			`git fetch --shallow-exclude=${CI_DEFAULT_BRANCH} origin $CI_COMMIT_REF_NAME`
			`# determine what commits we need to scan using "git log A..B"`
			`git log --no-merges --pretty=format:"%H" refs/remotes/origin/${CI_DEFAULT_BRANCH}..refs/remotes/origin/${CI_COMMIT_REF_NAME} >${CI_COMMIT_SHA}_commit_list.txt`

			`# we need to extend the git fetch depth to the number of commits + 2 for the following reasons:`
			`# because busybox wc only counts \n and there is no trailing \n (+1)`
			`# include the parent commit of the base commit in this MR/Push event. This is needed because`
			# `git diff -p` needs something to compare changes in that commit against (+1)
			`git fetch --depth=$(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 2)) origin $CI_COMMIT_REF_NAME`

			`# +1 because busybox wc only counts \n and there is no trailing \n`
			`echo "scanning $(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 1)) commits"`
			`export SECRET_DETECTION_COMMITS_FILE=${CI_COMMIT_SHA}_commit_list.txt`
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			`- /analyzer run`
			`- rm "$CI_COMMIT_SHA"_commit_list.txt`