secret-detection/template.yml

spec:
  inputs:
    stage:
      default: test
    image_prefix:
      default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
    image_tag:
      default: '5'
    image_suffix:
      default: ""
---
variables:
  SECRET_DETECTION_EXCLUDED_PATHS: ""

.secret-analyzer:
  stage: $[[ inputs.stage ]]
  image: "$[[ inputs.image_prefix ]]/secrets:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
  services: []
  allow_failure: true
  variables:
    GIT_DEPTH: "50"
  # `rules` must be overridden explicitly by each child job
  # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
  artifacts:
    reports:
      secret_detection: gl-secret-detection-report.json

secret_detection:
  extends: .secret-analyzer
  rules:
    - if: $CI_COMMIT_BRANCH
  script:
    - /analyzer run