vor/secret-detection
1
0
Fork 0
mirror of https://gitlab.com/components/secret-detection.git synced 2025-06-30 07:28:30 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'main' into 'main'

Browse source 
feat: implement support for merge request pipelines

See merge request components/secret-detection!8
This commit is contained in:
Tim Knight 2025-02-14 13:53:23 +00:00
commit 1c55793458
2 changed files with 28 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

13
README.md
View file

@ -36,12 +36,13 @@ This assumes `SECRET_DETECTION_DISABLED` variable is already defined in `.gitlab
### Inputs ### Inputs
| Input | Default value | Description | | Input | Default value | Description |
| ----- | ------------- | ----------- | |--------------------| ------------- | ----------- |
| `stage` | `test` | The stage where you want the job to be added. | | `stage` | `test` | The stage where you want the job to be added. |
| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Override the name of the Docker registry providing the default images (proxy). | | `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Override the name of the Docker registry providing the default images (proxy). |
| `image_tag` | `5` | Override the default version of the `secrets` analyzer image. | | `image_tag` | `5` | Override the default version of the `secrets` analyzer image. |
| `image_suffix` | `""` | Suffix added to the image name. If set to -fips, [FIPS-enabled images](https://docs.gitlab.com/ee/user/application_security/secret_detection/#use-fips-enabled-images) are used for scan. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/355519) in GitLab 14.10. | | `image_suffix` | `""` | Suffix added to the image name. If set to -fips, [FIPS-enabled images](https://docs.gitlab.com/ee/user/application_security/secret_detection/#use-fips-enabled-images) are used for scan. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/355519) in GitLab 14.10. |
| `use-mr-pipelines` | `false` | Set to `true` to enable `secret-detection` job to run on Merge Request Pipelines in addition to Branch Pipelines (except where there is an open MR on that Branch) |
### Variables ### Variables

23
templates/secret-detection.yml
View file

@ -8,9 +8,30 @@ spec:
default: '6' default: '6'
image_suffix: image_suffix:
default: "" default: ""
use-mr-pipelines:
description: "If set to `true` secret-detection jobs run on MR Pipelines"
type: boolean
default: false
--- ---
.secret-detection-rules:true:
rules:
# If there is an open MR on this branch do not run the job on a "Push" pipeline
# https://docs.gitlab.com/ee/ci/pipelines/mr_pipeline_troubleshooting.html#two-pipelines-when-pushing-to-a-branch
- if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS
when: never
- if: $CI_COMMIT_TAG
when: never
- when: always
.secret-detection-rules:false:
rules:
- if: $CI_COMMIT_BRANCH
when: always
- when: never
secret_detection: secret_detection:
extends: '.secret-detection-rules:$[[ inputs.use-mr-pipelines ]]'
stage: $[[ inputs.stage ]] stage: $[[ inputs.stage ]]
image: "$[[ inputs.image_prefix ]]/secrets:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]" image: "$[[ inputs.image_prefix ]]/secrets:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
services: [] services: []
@ -23,7 +44,5 @@ secret_detection:
artifacts: artifacts:
reports: reports:
secret_detection: gl-secret-detection-report.json secret_detection: gl-secret-detection-report.json
rules:
- if: $CI_COMMIT_BRANCH
script: script:
- /analyzer run - /analyzer run