Skip to content

(fix) SPP - Scan committed diffs instead of entire file

Serena Fang requested to merge spp-diffblobs-batched into master

What does this MR do and why?

Issue: #469161 (closed)

Do not merge until !166055 (merged) is ready to merge

Limit secret push protection scans to a set of changes (delta) instead of the entire files. This was causing pushes to be unexpectedly blocked when the file contains a secret but the secret is not part of the committed diffs.

This MR changes the scan logic to only scan newly committed content (when you do a git diff, the lines that start with + are newly added), and not the rest of the file. Uses RPC added in gitaly@d0d6af6d and supported in !160286 (merged)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
Screenshot_2024-07-31_at_6.54.19_PM Screenshot_2024-07-31_at_10.32.54_PM

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Check out master branch
  2. Enable SPP for a project
  3. Create a file, include a secret, add and commit the file
  4. Use the special commit message or push option to skip SPP scanning, pushing the secret to the repo
  5. Edit the file, write some new text that does not include a secret, add and commit the file
  6. Push the file to the repo
  7. With master checked out, the push will be blocked, because the file contains a secret
  8. Check out this branch spp-diffblobs
  9. Edit the file, write some new text that does not include a secret, add and commit the file
  10. Push the file to the repo
  11. Since the commit did not include secret in the new diffs, the push will not be blocked by SPP
Edited by Serena Fang

Merge request reports