Add push option to skip pre-receive secret detection scanning
What does this MR do and why?
Issue: #435315 (closed)
In some cases, it may be necessary to skip pre-receive secret detection. For example, a developer may need to commit a placeholder secret for testing, or a user may want to bypass secret detection due to a Git operation timeout. In the experimental MVC phase of the pre-receive secret detection feature, we introduced a special commit flag ([skip secret detection]
), to skip scanning for an entire push if the flag is present in the commit message of any the commits pushed. This design has a few limitations, see issue discussion for more info.
To resolve these issues, this MR adds a push option (secret_detection.skip_all
) to skip pre-receive secret detection for the entire push. This MR uses the work recently introduced by gitaly!6854 (merged), which propagates push options on pre-receive/allowed check, when previously, push options were only available in Rails on post-receive step.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- In the rails console:
pry(main)> Gitlab::CurrentSettings.update!(pre_receive_secret_detection_enabled: true) # to ensure feature is enabled instance-wide
pry(main)> project = Project.find(PROJECT_ID)
pry(main)> Feature.enable(:pre_receive_secret_detection_push_check, project)
- Check out gitlab master. Make a new local branch in the PROJECT_ID project. Create a new file (
test.txt
), include a fake secret in the file. Some examples:glpat-12312312312312312312
,glrt-12312312312312312312
,glft-12312312312312312312
-
git add test.txt
, commit it, attempt to push. The push will be blocked, and you will see a message like this:
- Checkout this branch
secrets_check_bypass_push_option
. Attempt to push again, but include the push option, like this:git push -o secret_detection.skip_all
- The push will be successful, meaning that the fake secret will be in your project PROJECT_ID