-
-
Save Tirael/c4cb9ef6a45715da7f68d3625cb1412b to your computer and use it in GitHub Desktop.
GitLab Secret Detection which fails when vulnerabilities were found
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This job overrides the default secret detection job from GitLab | |
| # (https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml) | |
| # and fails if vulnerabilities were found. The exit code represents the number of vulnerabilities. | |
| # | |
| # Requirements: | |
| # - Stage "test" | |
| include: | |
| - template: Security/Secret-Detection.gitlab-ci.yml | |
| secret_detection: | |
| extends: .secret-analyzer | |
| rules: | |
| - if: $SECRET_DETECTION_DISABLED | |
| when: never | |
| - if: $CI_COMMIT_BRANCH | |
| variables: | |
| GET_VULNERABILITY_COUNT: "cat gl-secret-detection-report.json | jq --raw-output '.vulnerabilities | length'" | |
| script: | |
| - if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi | |
| - apk add jq | |
| - if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit $(eval "$GET_VULNERABILITY_COUNT"); fi | |
| - git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME | |
| - git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_COMMIT_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt | |
| - export SECRET_DETECTION_COMMITS_FILE="$CI_COMMIT_SHA"_commit_list.txt | |
| - /analyzer run | |
| - rm "$CI_COMMIT_SHA"_commit_list.txt | |
| - exit $(eval "$GET_VULNERABILITY_COUNT") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment