Merge branch 'main' into 'main'

feat: implement support for merge request pipelines See merge request components/secret-detection!8
2025-06-30 07:28:30 +02:00 · 2025-02-14 13:53:23 +00:00 · 2025-02-14 13:53:23 +00:00 · 1c55793458
commit 1c55793458
parent 94147813a3 5676ddd199
2 changed files with 28 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -37,11 +37,12 @@ This assumes `SECRET_DETECTION_DISABLED` variable is already defined in `.gitlab
 ### Inputs

 | Input              | Default value | Description |
-| ----- | ------------- | ----------- |
+|--------------------| ------------- | ----------- |
 | `stage`            | `test` | The stage where you want the job to be added. |
 | `image_prefix`     | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Override the name of the Docker registry providing the default images (proxy). |
 | `image_tag`        | `5` | Override the default version of the `secrets` analyzer image. |
 | `image_suffix`     | `""` | Suffix added to the image name. If set to -fips, [FIPS-enabled images](https://docs.gitlab.com/ee/user/application_security/secret_detection/#use-fips-enabled-images) are used for scan. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/355519) in GitLab 14.10. |
+| `use-mr-pipelines` | `false` | Set to `true` to enable `secret-detection` job to run on Merge Request Pipelines in addition to Branch Pipelines (except where there is an open MR on that Branch) |

 ### Variables

--- a/templates/secret-detection.yml
+++ b/templates/secret-detection.yml
@ -8,9 +8,30 @@ spec:
      default: '6'
    image_suffix:
      default: ""
+    use-mr-pipelines:
+      description: "If set to `true` secret-detection jobs run on MR Pipelines"
+      type: boolean
+      default: false
 ---

+.secret-detection-rules:true:
+  rules:
+    # If there is an open MR on this branch do not run the job on a "Push" pipeline
+    # https://docs.gitlab.com/ee/ci/pipelines/mr_pipeline_troubleshooting.html#two-pipelines-when-pushing-to-a-branch
+    - if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS
+      when: never
+    - if: $CI_COMMIT_TAG
+      when: never
+    - when: always
+
+.secret-detection-rules:false:
+  rules:
+    - if: $CI_COMMIT_BRANCH
+      when: always
+    - when: never
+
 secret_detection:
+  extends: '.secret-detection-rules:$[[ inputs.use-mr-pipelines ]]'
  stage: $[[ inputs.stage ]]
  image: "$[[ inputs.image_prefix ]]/secrets:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
  services: []
@ -23,7 +44,5 @@ secret_detection:
  artifacts:
    reports:
      secret_detection: gl-secret-detection-report.json
-  rules:
-    - if: $CI_COMMIT_BRANCH
  script:
    - /analyzer run