PoC: Add allowlist for secret push protection (!157338) · Merge requests · GitLab.org / GitLab

Dheeraj Joshi requested to merge djadmin-secret-push-protection-allow-list into master Jun 25, 2024

What does this MR do and why?

This MR aims to demonstrate a Proof of Concept (PoC) for implementing an allowlist with secrets push protection. This feature will enable users to specify known secrets in advance, allowing developers to push changes without encountering blocks.

Workflow:

User needs to create a new file called .gitlab-secrets-allowlist in the root directory of the repository.
Add potential false positive tokens, test data, or any regex pattern that need to be ignored to that file - one per line.
Create a branch and attempt to commit and push any of the mocked secrets.

Example allowlist file content:

# Mock data 
glpat-1234567890abcdefghij
glpat-12345678901234567890

# False positves
glptt-dbf556605bcad4d9db3ec5fcef84f78f9b4fec28

# Segment tokens (Accepted risk)
sgp_.*

Result

The allowed patterns will not block the push.
The event will be logged along with the matched pattern.

Follow-up thoughts:

The location can be moved in .gitlab/ to align with other configuration files.
~~Regex support can be added in the next iteration~~ (added in this MR).
The ignore path feature can be added after considering #468934 (comment 1967845407).
Pipeline secret detection: This allowlist file can ideally be referenced by the SD by adding capabilities similar to Ability to include remote "custom ruleset" with... (#336395 - closed).

Demo / Steps to reproduce

https://gitlab.slack.com/archives/C06NY8LDMT2/p1719400211277259

Edited Jun 26, 2024 by Dheeraj Joshi

PoC: Add allowlist for secret push protection