Update Gitleaks to v6.1.2 and add SECRET_DETECTION_COMMITS
Summary
An issue was raised on the gitleaks github page regarding the commit-to
and commit-from
options. Using these two options can lead to unintended commits being scanned and in the worst case, the entire repo's history could be scanned. A quick fix was put in to make scanning a range of commits deterministic by adding an option commits=<list of commits>
and commits-file=<file of a list of commits>
. Instead of having gitleaks git library (go-git) decide what commits to scan via git log
, gitleaks scans ONLY the commits specified in commits-file
and commits
.
We need to update gitleaks to the most recent version v6.1.0
and add a SECRET_DETECTION_COMMITS
variable to the secrets scanner so that gitleaks can accept a list of commits.
Implementation
-
Update Gitleaks to v6.1.2 in the Secrets analyzer -
Add SECRET_DETECTION_COMMITS
to scan a range of commits -
Add a downstream test for range of commits -
Update template Secret-Detection.gitlab.yml to use SECRET_DETECTION_COMMITS
instead ofSECRET_DETECTION_COMMIT_FROM/TO
Alternative Approach:
Disable the default secret-detection
scan (which uses the problematic SECRET_DETECTION_COMMIT_FROM/TO
options and use secret_detection_default_branch
to match the same triggers as secret-sast
. This would give us a little more breathing room and allow us to scope this issue for a future release.