Skip to content

Secret detection vulnerabilities not auto set to "No longer detected"

Bruno Freitas requested to merge secret-detection-vulns-not-auto-dismissed into master

What does this MR do?

This MR adds some explanation on why secret detection vulnerabilities are not automatically set to "No longer detected", when secrets are eliminated from the scanned files. This came up in a ticket and in the follow-up.

@connorgilbert explained it beautifully in an internal thread:

We don’t mark Secret Detection results as “no longer detected”, because they can’t be fixed by simply changing the default branch. (This is different from the other vuln types—if you update your code to not be vulnerable to a SAST problem, it’s now fixed; same for a vulnerable dependency that you update.) Secrets are once-leaked, always-leaked. So the intended action is to review the report, then do whatever you need to do to remediate the leak (which is usually to rotate the credential that was leaked).

My intention is to clarify this in the docs as well.

Related issues

#431712 (comment 1681043497)

Author's checklist

If you are a GitLab team member and only adding documentation, do not add any of the following labels:

  • ~"frontend"
  • ~"backend"
  • ~"type::bug"
  • ~"database"

These labels cause the MR to be added to code verification QA issues.

Reviewer's checklist

Documentation-related MRs should be reviewed by a Technical Writer for a non-blocking review, based on Documentation Guidelines and the Style Guide.

If you aren't sure which tech writer to ask, use roulette or ask in the #docs Slack channel.

  • If the content requires it, ensure the information is reviewed by a subject matter expert.
  • Technical writer review items:
    • Ensure docs metadata is present and up-to-date.
    • Ensure the appropriate labels are added to this MR.
    • Ensure a release milestone is set.
    • If relevant to this MR, ensure content topic type principles are in use, including:
      • The headings should be something you'd do a Google search for. Instead of Default behavior, say something like Default behavior when you close an issue.
      • The headings (other than the page title) should be active. Instead of Configuring GDK, say something like Configure GDK.
      • Any task steps should be written as a numbered list.
      • If the content still needs to be edited for topic types, you can create a follow-up issue with the docs-technical-debt label.
  • Review by assigned maintainer, who can always request/require the reviews above. Maintainer's review can occur before or after a technical writer review.

Merge request reports

Loading