Disable password in URL rule in secret scanning
What does this MR do and why?
The "Password in URL" rule is very noisy and it picks up tons (thousands) of user:user
, test:test
, *****:*****
, and other variations of test passwords to the point where we're missing real findings as in https://gitlab.com/gitlab-org/gitlab/-/security/vulnerabilities/36027676.
Until we have a way to filter out the "obviously-used-for-test" passwords I suggest that we disable this rule. That combined with some API tricks to mass-dismiss the existing issues will enable us to use the feature again.
Screenshots or screen recordings
N/A
How to set up and validate locally
It's a CI/CD configuration change, it cannot be validated locally.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Dominic Couture