Skip to content

Secret Detection

The secret detection job checks the project's source code using Gitleaks and the pre-defined Gitlab Static Application Security Testing (SAST). If a secret is found the details will be available in the 'security' tab on the pipeline page. Additionally if the pipeline is run as part of a Merge Request then the details are shown in a 'security' widget at the top of the MR overview page. These details are only viewable by users with the appropriate access.

The job will end green if it has run successfully, even if secrets are detected. This is the intended outcome, as designed by Gitlab. It is possible to force the job to end with a different exit code when secrets are detected, but in that scenario the results won't be available in the 'security' tab/widget, so it completely defeats the object of the job.

Enabling this job

This job is controlled by the variable RUN_JOB_SECRET_DETECTION which is set to 0 by default. To run the job you need to set the value to 1 in your .gitlab-ci.yml file:

variables:
  RUN_JOB_SECRET_DETECTION: '1'

The Gitlab variable AST_ENABLE_MR_PIPELINES has no effect here because we are using our own custom rules.

Manual Run

You can run this job as a one-off by setting RUN_JOB_SECRET_DETECTION to '1' in the pipeline input form. However, this may only scan the most recent commit in that branch. To run a full scan of the entire repository set the variable SECRET_DETECTION_HISTORIC_SCAN to true.

What to do if a secret is detected

This will depend on where the secret is found, whether in the current codebase or just in the commit history, and whether the content of the secret still poses a security risk. For general information start by reading Gitlab's responding to security incidents documentation. The report attached to each detected secret has specific details and links to assist the mitigation process.

If the job has been run with SECRET_DETECTION_HISTORIC_SCAN = true then all branches in the repository are checked, not just the branch that the pipeline is running for. In addition, all past commits are scanned so this may produce the appearance of duplicated results. For both of these reasons you may find that on clicking the link the to detected secret you get a warning "{filename} does not exist in {commithash}" and the actual secret is not shown.