Skip to content

Show secret detected warning for Explain Vulnerability

Daniel Tian requested to merge 417079-show-secret-detected-warning into master

What does this MR do and why?

This MR adds a warning to the Explain Vulnerability panel if a potential secret was detected in the vulnerable source code:

ksnip_20230809-001908

If no secret is detected, the warning is not shown. If a secret is detected, the Send code with prompt checkbox will be unchecked by default. The code link jumps up to location header that shows the file and vulnerable source code.

Peek_2023-08-09_00-27

How to set up and validate locally

  1. Clone this project: https://gitlab.com/gitlab-org/security-products/tests/webgoat.net
  2. Run a pipeline against the default branch.
  3. Go to the vulnerability report. The first few results should all be SCS0002 vulnerabilities. Open up the first 5 or so in new tabs. At least some of them will trigger the secrets check.
  4. Verify that if the source code has the word "password" in it, the warning is shown, and that if the source code doesn't have any sensitive words, the warning is not shown.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #417079 (closed)

Edited by Daniel Tian

Merge request reports

Loading