diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 125435a..b47a28d 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,19 +1,26 @@ include: - component: gitlab.com/$CI_PROJECT_PATH/job@$CI_COMMIT_SHA + component: $CI_SERVER_FQDN/$CI_PROJECT_PATH/secret-detection@$CI_COMMIT_SHA stages: [test, release] +secret_detection: + rules: + - if: $CI_COMMIT_BRANCH + - if: $CI_COMMIT_TAG # overriding rules to ensure it runs on tags before the release. + ensure-job-added: stage: test image: badouralix/curl-jq script: - echo "Expect that a job named 'secret_detection' is added to the pipeline" - | - route="https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/pipelines/$CI_PIPELINE_ID/jobs" + route="$CI_API_V4_URL/projects/$CI_PROJECT_ID/pipelines/$CI_PIPELINE_ID/jobs" count=`curl --silent $route | jq 'map(select(.name | contains("secret_detection"))) | length'` if [ "$count" != "1" ]; then exit 1 fi + rules: + - if: ($CI_COMMIT_BRANCH || $CI_COMMIT_TAG) && $CI_SERVER_HOST =~ /gitlab.com/ # Ensure that a project description exists, because it will be important to display # the resource in the catalog. @@ -21,7 +28,7 @@ check-description: image: badouralix/curl-jq script: - | - route="https://gitlab.com/api/v4/projects/$CI_PROJECT_ID" + route="$CI_API_V4_URL/projects/$CI_PROJECT_ID" desc=`curl --silent $route | jq '.description'` if [ "$desc" = "null" ]; then echo "Description not set. Please set a projet description" @@ -29,6 +36,8 @@ check-description: else echo "Description set" fi + rules: + - if: $CI_SERVER_HOST =~ /gitlab.com/ # Ensure that a `README.md` exists in the root directory as it represents the # documentation for the whole components repository. diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..8c09c67 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +* @gitlab-org/secure/secret-detection diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..0fb88d0 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2023 GitLab Inc. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md index 9541ac5..bd29082 100644 --- a/README.md +++ b/README.md @@ -13,16 +13,18 @@ keyword. ```yaml include: - - component: gitlab.com/gitlab-components/secret-detection/job@ + - component: gitlab.com/components/secret-detection/secret-detection@ ``` where `` is the latest released tag or `main`. +This component will add a `secret_detection` job to the pipeline. + If you are converting the configuration to use components and want to leverage the existing variable `$SECRET_DETECTION_DISABLED` you could conditionally include the component using the variable: ```yaml include: - - component: gitlab.com/gitlab-components/secret-detection/job@main + - component: gitlab.com/components/secret-detection/secret-detection@main rules: - if: $SECRET_DETECTION_DISABLED == "true" || $SECRET_DETECTION_DISABLED == "1" when: never @@ -38,7 +40,7 @@ This assumes `SECRET_DETECTION_DISABLED` variable is already defined in `.gitlab | ----- | ------------- | ----------- | | `stage` | `test` | The stage where you want the job to be added. | | `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Override the name of the Docker registry providing the default images (proxy). | -| `image_tag` | `5` | Override the default version of the `secrets` analyzer image. | +| `image_tag` | `7` | Override the default version of the `secrets` analyzer image. | | `image_suffix` | `""` | Suffix added to the image name. If set to -fips, [FIPS-enabled images](https://docs.gitlab.com/ee/user/application_security/secret_detection/#use-fips-enabled-images) are used for scan. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/355519) in GitLab 14.10. | ### Variables @@ -50,3 +52,7 @@ You can customize secret detection by defining the following CI/CD variables: | `SECRET_DETECTION_EXCLUDED_PATHS` | Exclude vulnerabilities from output based on the paths. The paths are a comma-separated list of patterns. Patterns can be globs (see [doublestar.Match](https://pkg.go.dev/github.com/bmatcuk/doublestar/v4@v4.0.2#Match) for supported patterns), or file or folder paths (for example, `doc,spec`). Parent directories also match patterns. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/225273) in GitLab 13.3. | | `SECRET_DETECTION_HISTORIC_SCAN` | Flag to enable a historic Gitleaks scan. | | `SECRET_DETECTION_LOG_OPTIONS` | [`git log`](https://git-scm.com/docs/git-log) options used to define commit ranges. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/350660) in GitLab 15.1. | + +## Contribute + +Please read about CI/CD components and best practices at: https://docs.gitlab.com/ee/ci/components diff --git a/logo.png b/logo.png new file mode 100644 index 0000000..e5c20d1 Binary files /dev/null and b/logo.png differ diff --git a/templates/job.yml b/templates/secret-detection.yml similarity index 97% rename from templates/job.yml rename to templates/secret-detection.yml index bd1e3ad..79c1e0b 100644 --- a/templates/job.yml +++ b/templates/secret-detection.yml @@ -5,7 +5,7 @@ spec: image_prefix: default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" image_tag: - default: '5' + default: '7' image_suffix: default: "" ---