Secret Detection

Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/secret_detection.

Configure Secret Detection with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).

List of available variables: https://docs.gitlab.com/ee/user/application_security/secret_detection/#available-cicd-variables

Usage

You should add this component to an existing .gitlab-ci.yml file by using the include: keyword.

include:
  - component: gitlab.com/gitlab-components/secret-detection@<VERSION>

where <VERSION> is the latest released tag or main.

If you want to leverage the $SECRET_DETECTION_DISABLED variable to run the secret_detection job conditionally use include:rules. Otherwise the job will run when applicable:

include:
  - component: gitlab.com/gitlab-components/secret-detection@main
    rules:
      - if: $SECRET_DETECTION_DISABLED != "true"

Inputs

Input	Default value	Description
stage	test	The stage where you want the job to be added.
image_prefix	$CI_TEMPLATE_REGISTRY_HOST/security-products	Override the name of the Docker registry providing the default images (proxy).
image_tag	5	Override the default version of the secrets analyzer image.
image_suffix	""	Suffix added to the image name. If set to -fips, FIPS-enabled images are used for scan. Introduced in GitLab 14.10.

Variables

You can customize secret detection by defining the following CI/CD variables:

CI/CD variable	Description
SECRET_DETECTION_EXCLUDED_PATHS	Exclude vulnerabilities from output based on the paths. The paths are a comma-separated list of patterns. Patterns can be globs (see doublestar.Match for supported patterns), or file or folder paths (for example, doc,spec). Parent directories also match patterns. Introduced in GitLab 13.3.
SECRET_DETECTION_HISTORIC_SCAN	Flag to enable a historic Gitleaks scan.
SECRET_DETECTION_LOG_OPTIONS	git log options used to define commit ranges. Introduced in GitLab 15.1.