Gitlab CI/CD 中的秘密检测

Question

I'm having some troubles understanding how to activate Secrets Detection in Gitlab CI/CD. I created a new NodeJS Express from template and then i activated auto-devops from Settings > CI/CD and checked the checkbox Default to Auto Devops pipeline under the Auto Devops Menu. After that i opened the app.js file in the project folder and inserted a variable that looks like a key-value. Here's the piece of code where i inserted the line:

...
var app = express();

var key = "api-12321321321321321";

// view engine setup
app.set('views', path.join(__dirname, 'views'));
...

After committing the changes i expected the pipeline to fail because of the leak of the secret. Here's an images that shows that secret dection passed.

Can anyone tell me how to make so that the pipeline reports the error?

Answer 1

GitLab has a full post about setting this up in a pipeline: https://docs.gitlab.com/ee/user/application_security/secret_detection/

EDIT:

The given instructions are a bit unclear:

You need to add the include tag at "root-level" of your configuration.

Example

stages:
    - build
    - test

image: node:latest

build:
    stage: build
    script:
        - echo "Building"
        - npm install typescript
        - yarn run build
test:
    stage: test
    script:
        - echo "Testing"

include:
    - template: Security/Secret-Detection.gitlab-ci.yml

The secret detection will run in the test stage: Pipeline

Answer 2

This should be easier with GitLab 13.12 (May 2021):

Configuration tool for Secret Detection

Following in the footsteps of the GitLab SAST configuration tool we are adding support for Secret Detection on the Security Configuration page.
We believe that security is a team effort and this configuration experience makes it easier for non-CI experts to get started with GitLab Secret Detection .

The tool helps a user create a merge request to enable Secret Detection scanning while leveraging best configuration practices like using the GitLab-managed SAST.gitlab-ci.yml template .
The Configuration tool can create a new .gitlab-ci.yml file if one does not exist or update existing simple GitLab CI files, allowing the tool to be used with projects that already have GitLab CI setup.

See Documentation and Epic .

Answer 3

This behavior has confused me as well when I have first tried it out.

However, it seems that GitLab did this on purpose. Here is what the official documentation says:

So with a free or premium account, you can just use this reporter, but you won't see any results, unless you download the JSON report.

Also, there is NO mention that the job will fail. This is just our expectation.

In other words, if you are on a free/premium account this feature is almost useless, as nobody will go to the job and manually inspect it.

The only workaround would be to override the secret_detection job, parse the gl-secret-detection-report.json, check if it passed or failed and decide to PASS or FAIL the JOB.