Created
December 9, 2021 10:21
-
-
Save halloei/8ea4f1763f16a426f86a56bcf6a97333 to your computer and use it in GitHub Desktop.
GitLab Secret Detection which fails when vulnerabilities were found
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This job overrides the default secret detection job from GitLab | |
| # (https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml) | |
| # and fails if vulnerabilities were found. The exit code represents the number of vulnerabilities. | |
| # | |
| # Requirements: | |
| # - Stage "test" | |
| include: | |
| - template: Security/Secret-Detection.gitlab-ci.yml | |
| secret_detection: | |
| extends: .secret-analyzer | |
| rules: | |
| - if: $SECRET_DETECTION_DISABLED | |
| when: never | |
| - if: $CI_COMMIT_BRANCH | |
| variables: | |
| GET_VULNERABILITY_COUNT: "cat gl-secret-detection-report.json | jq --raw-output '.vulnerabilities | length'" | |
| script: | |
| - if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi | |
| - apk add jq | |
| - if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit $(eval "$GET_VULNERABILITY_COUNT"); fi | |
| - git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME | |
| - git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_COMMIT_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt | |
| - export SECRET_DETECTION_COMMITS_FILE="$CI_COMMIT_SHA"_commit_list.txt | |
| - /analyzer run | |
| - rm "$CI_COMMIT_SHA"_commit_list.txt | |
| - exit $(eval "$GET_VULNERABILITY_COUNT") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment