# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/secret_detection
#
# Configure the scanning tool through the environment variables.
# List of the variables: https://docs.gitlab.com/ee/user/application_security/secret_detection/#available-variables
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables

variables:
  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
  SECRETS_ANALYZER_VERSION: "3"
  SECRET_DETECTION_EXCLUDED_PATHS: ""

.secret-analyzer:
  stage: test
  image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION"
  services: []
  allow_failure: true
  variables:
    GIT_DEPTH: "50"
  # `rules` must be overridden explicitly by each child job
  # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
  artifacts:
    reports:
      secret_detection: gl-secret-detection-report.json

secret_detection:
  extends: .secret-analyzer
  rules:
    - if: $SECRET_DETECTION_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH
  script:
    - if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi
    - if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi
    - |
      # we don't need the whole history when excluding in the next `git fetch` line,
      # so git depth=1
      git fetch origin --depth=1 $CI_DEFAULT_BRANCH
      # shallow clone $CI_COMMIT_REF_NAME to get commits associated with MR or push
      git fetch --shallow-exclude=${CI_DEFAULT_BRANCH} origin $CI_COMMIT_REF_NAME
      # determine what commits we need to scan using "git log A..B"
      git log --no-merges --pretty=format:"%H" refs/remotes/origin/${CI_DEFAULT_BRANCH}..refs/remotes/origin/${CI_COMMIT_REF_NAME} >${CI_COMMIT_SHA}_commit_list.txt

      # we need to extend the git fetch depth to the number of commits + 2 for the following reasons:
      # because busybox wc only counts \n and there is no trailing \n (+1)
      # include the parent commit of the base commit in this MR/Push event. This is needed because
      # `git diff -p` needs something to compare changes in that commit against (+1)
      git fetch --depth=$(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 2)) origin $CI_COMMIT_REF_NAME

      # +1 because busybox wc only counts \n and there is no trailing \n
      echo "scanning $(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 1)) commits"
      export SECRET_DETECTION_COMMITS_FILE=${CI_COMMIT_SHA}_commit_list.txt
    - /analyzer run
    - rm "$CI_COMMIT_SHA"_commit_list.txt