From b03279995e2894493f188b770ec6cf24dd7f54c6 Mon Sep 17 00:00:00 2001 From: Fabio Pitino Date: Thu, 9 Nov 2023 12:36:35 +0000 Subject: [PATCH 01/11] Rename component to secret-detection --- .gitlab-ci.yml | 2 +- README.md | 10 ++++++++-- templates/{job.yml => secret-detection.yml} | 0 3 files changed, 9 insertions(+), 3 deletions(-) rename templates/{job.yml => secret-detection.yml} (100%) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 937516f..5cfe312 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,5 +1,5 @@ include: - component: gitlab.com/$CI_PROJECT_PATH/job@$CI_COMMIT_SHA + component: gitlab.com/$CI_PROJECT_PATH/secret-detection@$CI_COMMIT_SHA stages: [test, release] diff --git a/README.md b/README.md index 9541ac5..e513eb1 100644 --- a/README.md +++ b/README.md @@ -13,16 +13,18 @@ keyword. ```yaml include: - - component: gitlab.com/gitlab-components/secret-detection/job@ + - component: gitlab.com/gitlab-components/secret-detection/secret-detection@ ``` where `` is the latest released tag or `main`. +This component will add a `secret_detection` job to the pipeline. + If you are converting the configuration to use components and want to leverage the existing variable `$SECRET_DETECTION_DISABLED` you could conditionally include the component using the variable: ```yaml include: - - component: gitlab.com/gitlab-components/secret-detection/job@main + - component: gitlab.com/gitlab-components/secret-detection/secret-detection@main rules: - if: $SECRET_DETECTION_DISABLED == "true" || $SECRET_DETECTION_DISABLED == "1" when: never @@ -50,3 +52,7 @@ You can customize secret detection by defining the following CI/CD variables: | `SECRET_DETECTION_EXCLUDED_PATHS` | Exclude vulnerabilities from output based on the paths. The paths are a comma-separated list of patterns. Patterns can be globs (see [doublestar.Match](https://pkg.go.dev/github.com/bmatcuk/doublestar/v4@v4.0.2#Match) for supported patterns), or file or folder paths (for example, `doc,spec`). Parent directories also match patterns. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/225273) in GitLab 13.3. | | `SECRET_DETECTION_HISTORIC_SCAN` | Flag to enable a historic Gitleaks scan. | | `SECRET_DETECTION_LOG_OPTIONS` | [`git log`](https://git-scm.com/docs/git-log) options used to define commit ranges. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/350660) in GitLab 15.1. | + +## Contribute + +Please read about CI/CD components and best practices at: https://docs.gitlab.com/ee/ci/components \ No newline at end of file diff --git a/templates/job.yml b/templates/secret-detection.yml similarity index 100% rename from templates/job.yml rename to templates/secret-detection.yml From 72880a4924be1194383a83f15760f382ac7b1b89 Mon Sep 17 00:00:00 2001 From: Sunjung Park Date: Tue, 12 Dec 2023 15:10:49 +0000 Subject: [PATCH 02/11] Update file logo.png --- logo.png | Bin 0 -> 2545 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 logo.png diff --git a/logo.png b/logo.png new file mode 100644 index 0000000000000000000000000000000000000000..e5c20d108fa6fee0edc44b3ddcc1b4df3546ba2b GIT binary patch literal 2545 zcmVI=g^k0o;GAw}dR_7UD{4lI_ zFmM&uRXNZuTrig004iGRKF0aH9_}Du$2@_7(T6jolQJcsk-yVAPoOpn)@DFj6{u*b z>qJo=gDkN{1$c3uLosF^w=~fL>Q9kg|DX?a|=% zfC+S9gTI9huTcR0SZvMLdI<%&Q=t%p;X=qB=r7>x;7>I>=&AtC^Bjb=&l=@CGHL{3 z0$pZ7d25wOxH-h3f`cibm)dE6vfiQhpRNE@IW%O}t)DivVl+qT)f4`#R))_!bh!){*eX!5i&#FSo#}@Hwe305Q<|#Q~<*8 zF=zt|NF4p!@!3;%Zwk5}TC}1D$N~;WV_6UtfFgxmR@U=0GO4Ieg2~2$>#33kGKQ)C zGl)1A6lej`eJirvo54W!&T+Vr(eI3)JVQg;QPtYkoA)n>1$gVCuqcK0@D#2Nfl1Ja z{W)Nbn%Uy(HU|;u6l0=r{w!EPLovF&Ww2tPy1rjvP2dt&o5h`en8lr) zLpBvQRx5DtR~0C)18v5(`GVa=!{iWeof` zCEzBV7aDcjeH=<{$)jyEXi(EZQDm3Im~{d8Q>bI9jYHJ~iYb+#Jd{_j^P)~`8X&+_ zUN52ZvlA?0IFx!ghz*t76e!zZ+-MQyh2RR))oES5$m^9DXAZE4)3fOtBMB<2P=Oaq zvq7R!-ga-izU$%L1?xJ%fK{V{T7R1}yvPiV$odVbRYIeD*@n#Arn=sk&jkaxUCP1B zOM&)VGE6C%8>OcbrS{B}*FbepT{(gy2eveVDYW$8o{+gUad&=B241EuYNDImj?3ssvXtycGivK+HN6B74&mw>6=RWy(`od4gBMb+8Ze zggBMJk!Cy4@ZFat1N}!{Npb!t9}AoYedq{rFXS0QC4$%)18?F4E3(DZJis@GP$kBbNB8u9B++?Fvr>?_ z?7`)54K9ZzOUq$1Xxhx-#fQ)jKi(2vZ_e8Ed!fZhT@LSvJHVbcX zV04?tMMH-P@_|+AJi$#rLI5h02H`FPZi@EPJ*s%+t>0=;mz zfU|Bb7!`oDRP-{Pz|>1$U9|-I1n4cs(Noan1Wr(XLqFZ1;!2n`7s6 zMMEzQ$rhBi)^Y7>c%g+8e)ih0d2IZ}kKW^xpMSu+3p2Bpe zJX+kqBpgI4v*5X<;oL)qVJtpNlZnn=akouHBAn_(@A#oAH{Uo;P2O)_oOO z5dBiy#FO_J(_@G;0?Yt(w7*iyX2A; z@eyatchC?DL13plUOOrD^!I3R&JGQVh8Y3rY)@N8M>~BO+ivbbI&crBCUAmmRDdo?^d^I=h4q*!h&_9WyS$a8~HUVl2HrUp=t?;J`>*+7w^_6|K&Xarflz zJSgvO=^i=36Xi5fYWTZ`tllw&MyK6{ z&P}+hCy`-XV_%IhbmI7lxq-2+ta5<~&^DSXOGB%*i@AcL_xbcE2F|-Ygz9L&8wO~G+-%l1O^G^le`nMY_AcvpM z;_k8}yYkBj>NxK$Sek#?H|WjD8?C(TMXx`&-Nm@lhOGFeRbfQlUGfVmlLu$l^2gJu z5P9!VSWkzs=sc1*lEbMV=NwG#?I>$G00000NkvXX Hu0mjf__)dE literal 0 HcmV?d00001 From c542bedf60b890bb9bf1377d2bdc5e752279465c Mon Sep 17 00:00:00 2001 From: Mark Nuzzo Date: Wed, 20 Dec 2023 20:42:12 +0000 Subject: [PATCH 03/11] Update README.md to reference updated component path --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e513eb1..6830909 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ keyword. ```yaml include: - - component: gitlab.com/gitlab-components/secret-detection/secret-detection@ + - component: gitlab.com/components/secret-detection/secret-detection@ ``` where `` is the latest released tag or `main`. @@ -24,7 +24,7 @@ If you are converting the configuration to use components and want to leverage t ```yaml include: - - component: gitlab.com/gitlab-components/secret-detection/secret-detection@main + - component: gitlab.com/components/secret-detection/secret-detection@main rules: - if: $SECRET_DETECTION_DISABLED == "true" || $SECRET_DETECTION_DISABLED == "1" when: never @@ -55,4 +55,4 @@ You can customize secret detection by defining the following CI/CD variables: ## Contribute -Please read about CI/CD components and best practices at: https://docs.gitlab.com/ee/ci/components \ No newline at end of file +Please read about CI/CD components and best practices at: https://docs.gitlab.com/ee/ci/components From 836ee40654b68989e81d581d762b03aa197c5fad Mon Sep 17 00:00:00 2001 From: Duncan Macleod Date: Wed, 24 Apr 2024 13:41:38 +0100 Subject: [PATCH 04/11] use CI_ variables to allow mirroring to other gitlab instances --- .gitlab-ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 5cfe312..1db20a7 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,5 +1,5 @@ include: - component: gitlab.com/$CI_PROJECT_PATH/secret-detection@$CI_COMMIT_SHA + component: $CI_SERVER_FQDN/$CI_PROJECT_PATH/secret-detection@$CI_COMMIT_SHA stages: [test, release] @@ -14,7 +14,7 @@ ensure-job-added: script: - echo "Expect that a job named 'secret_detection' is added to the pipeline" - | - route="https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/pipelines/$CI_PIPELINE_ID/jobs" + route="$CI_API_V4_URL/projects/$CI_PROJECT_ID/pipelines/$CI_PIPELINE_ID/jobs" count=`curl --silent $route | jq 'map(select(.name | contains("secret_detection"))) | length'` if [ "$count" != "1" ]; then exit 1 @@ -26,7 +26,7 @@ check-description: image: badouralix/curl-jq script: - | - route="https://gitlab.com/api/v4/projects/$CI_PROJECT_ID" + route="$CI_API_V4_URL/projects/$CI_PROJECT_ID" desc=`curl --silent $route | jq '.description'` if [ "$desc" = "null" ]; then echo "Description not set. Please set a projet description" From 7c550c89519082e7753341d90f14df29e9179b2c Mon Sep 17 00:00:00 2001 From: Vishwa Bhat Date: Thu, 2 May 2024 14:51:06 +0000 Subject: [PATCH 05/11] Update Secret Detection analyzer version --- templates/secret-detection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/secret-detection.yml b/templates/secret-detection.yml index bd1e3ad..abe599b 100644 --- a/templates/secret-detection.yml +++ b/templates/secret-detection.yml @@ -5,7 +5,7 @@ spec: image_prefix: default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" image_tag: - default: '5' + default: '6' image_suffix: default: "" --- From d9f655a96a2fac9b4a972b89d8ed1ccb7ef2e8c1 Mon Sep 17 00:00:00 2001 From: Ahmed Hemdan Date: Tue, 25 Jun 2024 14:02:45 +0200 Subject: [PATCH 06/11] Run a couple of jobs only on Gitlab.com --- .gitlab-ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 1db20a7..b47a28d 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -19,6 +19,8 @@ ensure-job-added: if [ "$count" != "1" ]; then exit 1 fi + rules: + - if: ($CI_COMMIT_BRANCH || $CI_COMMIT_TAG) && $CI_SERVER_HOST =~ /gitlab.com/ # Ensure that a project description exists, because it will be important to display # the resource in the catalog. @@ -34,6 +36,8 @@ check-description: else echo "Description set" fi + rules: + - if: $CI_SERVER_HOST =~ /gitlab.com/ # Ensure that a `README.md` exists in the root directory as it represents the # documentation for the whole components repository. From 5e5d5be4d65d28698011ff4d442ad6776035be85 Mon Sep 17 00:00:00 2001 From: Ahmed Hemdan Date: Thu, 18 Jul 2024 19:37:55 +0200 Subject: [PATCH 07/11] Add a codeowners file --- CODEOWNERS | 1 + 1 file changed, 1 insertion(+) create mode 100644 CODEOWNERS diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..8c09c67 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +* @gitlab-org/secure/secret-detection From f945a715cdb9f0f5230c563b189e3c1207c03939 Mon Sep 17 00:00:00 2001 From: Ahmed Hemdan Date: Fri, 14 Feb 2025 11:17:45 +0100 Subject: [PATCH 08/11] Add LICENSE --- LICENSE | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..0fb88d0 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2023 GitLab Inc. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. From d5021f7972422d9b7f09fcd1337dee8f4f8ad2c3 Mon Sep 17 00:00:00 2001 From: Ahmed Hemdan Date: Mon, 21 Apr 2025 23:41:40 +0200 Subject: [PATCH 09/11] Bump version to 7 --- templates/secret-detection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/secret-detection.yml b/templates/secret-detection.yml index abe599b..79c1e0b 100644 --- a/templates/secret-detection.yml +++ b/templates/secret-detection.yml @@ -5,7 +5,7 @@ spec: image_prefix: default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" image_tag: - default: '6' + default: '7' image_suffix: default: "" --- From 54aa5f1aa93603b5f9c5e3b5fbb78d2d8811b8db Mon Sep 17 00:00:00 2001 From: Ahmed Hemdan Date: Tue, 22 Apr 2025 10:32:02 +0200 Subject: [PATCH 10/11] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6830909..b9babd2 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ This assumes `SECRET_DETECTION_DISABLED` variable is already defined in `.gitlab | ----- | ------------- | ----------- | | `stage` | `test` | The stage where you want the job to be added. | | `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Override the name of the Docker registry providing the default images (proxy). | -| `image_tag` | `5` | Override the default version of the `secrets` analyzer image. | +| `image_tag` | `7`| Override the default version of the `secrets` analyzer image. | | `image_suffix` | `""` | Suffix added to the image name. If set to -fips, [FIPS-enabled images](https://docs.gitlab.com/ee/user/application_security/secret_detection/#use-fips-enabled-images) are used for scan. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/355519) in GitLab 14.10. | ### Variables From e1192e05d161fad8390872d8feabd4454dd0ec97 Mon Sep 17 00:00:00 2001 From: Ahmed Hemdan Date: Tue, 22 Apr 2025 10:32:37 +0200 Subject: [PATCH 11/11] Fix spacing --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b9babd2..bd29082 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ This assumes `SECRET_DETECTION_DISABLED` variable is already defined in `.gitlab | ----- | ------------- | ----------- | | `stage` | `test` | The stage where you want the job to be added. | | `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Override the name of the Docker registry providing the default images (proxy). | -| `image_tag` | `7`| Override the default version of the `secrets` analyzer image. | +| `image_tag` | `7` | Override the default version of the `secrets` analyzer image. | | `image_suffix` | `""` | Suffix added to the image name. If set to -fips, [FIPS-enabled images](https://docs.gitlab.com/ee/user/application_security/secret_detection/#use-fips-enabled-images) are used for scan. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/355519) in GitLab 14.10. | ### Variables