vor/secret-detection
1
0
Fork 0
mirror of https://gitlab.com/components/secret-detection.git synced 2025-06-29 15:08:29 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
secret-detection/README.md
Ahmed Hemdan e1192e05d1 Fix spacing
2025-04-22 10:32:37 +02:00

2.9 KiB
Raw Permalink Blame History

Secret Detection

Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/secret_detection.

Configure Secret Detection with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).

List of available variables: https://docs.gitlab.com/ee/user/application_security/secret_detection/#available-cicd-variables

Usage

You should add this component to an existing .gitlab-ci.yml file by using the include: keyword.

include:
  - component: gitlab.com/components/secret-detection/secret-detection@<VERSION>

where <VERSION> is the latest released tag or main.

This component will add a secret_detection job to the pipeline.

If you are converting the configuration to use components and want to leverage the existing variable $SECRET_DETECTION_DISABLED you could conditionally include the component using the variable:

include:
  - component: gitlab.com/components/secret-detection/secret-detection@main
    rules:
      - if: $SECRET_DETECTION_DISABLED == "true" || $SECRET_DETECTION_DISABLED == "1"
        when: never

Otherwise the job will run when applicable.

This assumes SECRET_DETECTION_DISABLED variable is already defined in .gitlab-ci.yml with either 'true' or '1' as the value.

Inputs

Input Default value Description
stage test The stage where you want the job to be added.
image_prefix $CI_TEMPLATE_REGISTRY_HOST/security-products Override the name of the Docker registry providing the default images (proxy).
image_tag 7 Override the default version of the secrets analyzer image.
image_suffix "" Suffix added to the image name. If set to -fips, FIPS-enabled images are used for scan. Introduced in GitLab 14.10.

Variables

You can customize secret detection by defining the following CI/CD variables:

CI/CD variable Description
SECRET_DETECTION_EXCLUDED_PATHS Exclude vulnerabilities from output based on the paths. The paths are a comma-separated list of patterns. Patterns can be globs (see doublestar.Match for supported patterns), or file or folder paths (for example, doc,spec). Parent directories also match patterns. Introduced in GitLab 13.3.
SECRET_DETECTION_HISTORIC_SCAN Flag to enable a historic Gitleaks scan.
SECRET_DETECTION_LOG_OPTIONS git log options used to define commit ranges. Introduced in GitLab 15.1.

Contribute

Please read about CI/CD components and best practices at: https://docs.gitlab.com/ee/ci/components