Skip to content

Disable password in URL rule in secret scanning

Dominic Couture requested to merge dcouture-password-url-disable into master

What does this MR do and why?

The "Password in URL" rule is very noisy and it picks up tons (thousands) of user:user, test:test, *****:*****, and other variations of test passwords to the point where we're missing real findings as in https://gitlab.com/gitlab-org/gitlab/-/security/vulnerabilities/36027676.

Until we have a way to filter out the "obviously-used-for-test" passwords I suggest that we disable this rule. That combined with some API tricks to mass-dismiss the existing issues will enable us to use the feature again.

Screenshots or screen recordings

N/A

How to set up and validate locally

It's a CI/CD configuration change, it cannot be validated locally.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Dominic Couture

Merge request reports

Loading