-
-
Save fluential/8119120e9e95c19bd06e0b5b4a535bb3 to your computer and use it in GitHub Desktop.
GitLab Secret Detection which fails when vulnerabilities were found
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This job overrides the default secret detection job from GitLab | |
| # (https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml) | |
| # and fails if vulnerabilities were found. The exit code represents the number of vulnerabilities. | |
| # | |
| # Requirements: | |
| # - Stage "test" | |
| include: | |
| - template: Security/Secret-Detection.gitlab-ci.yml | |
| secret_detection: | |
| extends: .secret-analyzer | |
| rules: | |
| - if: $SECRET_DETECTION_DISABLED | |
| when: never | |
| - if: $CI_COMMIT_BRANCH | |
| variables: | |
| GET_VULNERABILITY_COUNT: "cat gl-secret-detection-report.json | jq --raw-output '.vulnerabilities | length'" | |
| script: | |
| - if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi | |
| - apk add jq | |
| - if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit $(eval "$GET_VULNERABILITY_COUNT"); fi | |
| - git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME | |
| - git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_COMMIT_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt | |
| - export SECRET_DETECTION_COMMITS_FILE="$CI_COMMIT_SHA"_commit_list.txt | |
| - /analyzer run | |
| - rm "$CI_COMMIT_SHA"_commit_list.txt | |
| - exit $(eval "$GET_VULNERABILITY_COUNT") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment