Check commits for bypass special commit flag in secrets push check
What does this MR do and why?
This merge request updates the secrets push check introduced over a number of earlier merge requests:
- !135032 (merged)
- !135036 (merged)
- !135164 (merged)
- !135273 (merged)
- !136896 (merged)
- !137812 (merged)
- !138790 (merged)
To perform secret detection scans on git blobs using the gitlab-secret_detection gem introduced in !136381 (merged).
In this merge request, the secrets check is updated to skip scanning if any of the commits have the special bypass flag [skip secret detection] in the commit message. Additionally, the merge request displays a message showing instructions on how to bypass the check using this special commit flag whenever a secret is detected.
Note: the merge request is part of a list of related merge requests, which were created iteratively to ensure ease of review and focused scope. Therefore, it shouldn't be reviewed in isolation from the rest of those merge requests.
Resolves #427042 (closed), and built on top of !136896 (merged), !136381 (merged), !137812 (merged), and !138790 (merged).
Related Merge Requests
| Step | Merge Request | Description |
|---|---|---|
| 5 | !136896 (merged) | Updates the check to list and filter blobs of new git-push operations. |
| 6 | !137812 (merged) | Invokes gitlab-secret_detection gem to scan blobs filtered. |
| 7 | !138790 (merged) | Updates the check to add details of secrets detected (e.g. file path/commit sha). |
| 8 | This one. | Updates the check to introduce a bypass mechanism via commit special flag. |
Screenshots or screen recordings
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
- Create a new project or using an existing one.
- In your
railsconsole, execute the following commands:
pry(main)> Gitlab::CurrentSettings.update!(pre_receive_secret_detection_enabled: true) # to ensure feature is enabled instance-wide
pry(main)> project = Project.find(PROJECT_ID)
pry(main)> Feature.enable(:pre_receive_secret_detection_push_check, project) - Ensure your GDK is licensed as
ultimate. - In your terminal, navigate to the project folder.
- Create a new file, e.g.
.env, and add a gitlab personal access token:
TOKEN=glpat-JUST20LETTERSANDNUMB- Run
git add .andgit commit -m 'test'to commit the file. - Run the command to push the commited file
git push. - Verify the push fails due to the secret detected.
- Go back and amend the commit message:
git commit --amend- Then in the editor, update the commit message to include the special bypass flag
[skip secret detection]:
test [skip secret detection]- Try to push the changes again, verify that the push is successful and not blocked.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.