Resolve "Explain This Vulnerability - Secret Detection Pre-Flight Check"
What does this MR do and why?
This MR implements a very rudimentary safety check on the AI prompt to actively exclude sending the code snippet to the AI in the prompt if we detect certain potentially sensitive keywords. This is not intended to be a robust or long term solution and is only intended to mitigate this risk in the short term while better solutions are implemented.
Given the extremely rudimentary nature of this approach, the implementation is highly aggressive with it's filtering, opting for a higher false-positive rate than letting undesired things slip through.
How to set up and validate locally
This is likely to be an immensely painful MR to locally validate by nature of the classes's tight binding with the vulnerability class. The easiest way would be to use a project like gitlab.com/gitlab-org/govern/demos/sandbox/minac/static-security-reports to generate static vulnerability records in a pipeline, then merge them to your repository default branch so that Vulnerability records are generated.
From there, modify the static records to include text/code that matches any of the following patterns:
/secret/,
/key/,
/ENV/,
/[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}/, # a UUID
/token/,
/'Bearer\s[\d|a-f]{8}-([\d|a-f]{4}-){3}[\d|a-f]{12}'/,
/password/,
/encrypted/,
/encryption/,
/email/,
/authorisation/,
/session/Finally, you can engage the template generation class like this from the rails console: puts ::Gitlab::Llm::Templates::ExplainVulnerability.new(Vulnerability.last).to_prompt
There should not be a code snippet in the prompt if any of these regexes match.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #413112 (closed)