Skip to content

fix: Secret Detection findings should require manual resolution

What does this MR do and why?

We introduced a regression sometime since 14.x where Category:Secret Detection findings no longer require manual-resolution, but are treated the same as other vulnerability types. This doesn't make sense since a leaked secret cannot be "unleaked", so we treat them the same as generic vulnerabilities and exclude them from the logic.

One other report type also acts like this: manually created vulns, so this implementation ties SD vulns to those generic ones.

See original implementation #223248 (closed)

Fixes #431712 (closed)

How to set up and validate locally

  1. Import https://gitlab.com/theoretick/secrets-secrets-secrets-secrets
    1. OR add a secret to a repo with Category:Secret Detection enabled
    2. Push secret; i.e. const gitlab_key = "glpat-12312312312312312312"
  2. Wait for pipeline to complete
  3. Check Vulnerability Dashboard for presence of secret
  4. Remove secret
  5. Push removal
  6. Wait for pipeline to complete
  7. Check Vulnerability Dashboard to ensure secret is not resolved (indicated by no longer detected badge missing).

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Lucas Charles

Merge request reports

Loading