gitlab-secret_detection 0.1.0 → 0.7.1

data/lib/gitlab/secret_detection/core/response.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module SecretDetection
+    module Core
+      # Response is the data object returned by the scan operation with the following structure
+      #
+      # +status+:: One of values from Gitlab::SecretDetection::Core::Status indicating the scan operation's status
+      # +results+:: Array of Gitlab::SecretDetection::Core::Finding values. Default value is nil.
+      # +metadata+:: Hash object containing additional meta information about the response. It is currently used
+      #   to embed more information on error.
+      class Response
+        attr_reader :status, :results, :metadata
+
+        def initialize(status, results = [], metadata = {})
+          @status = status
+          @results = results
+          @metadata = metadata
+        end
+
+        def ==(other)
+          self.class == other.class && other.state == state
+        end
+
+        def to_h
+          {
+            status:,
+            metadata:,
+            results: results&.map(&:to_h)
+          }
+        end
+
+        protected
+
+        def state
+          [status, metadata, results]
+        end
+      end
+    end
+  end
+end

data/lib/gitlab/secret_detection/core/ruleset.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require 'toml-rb'
+require 'logger'
+
+module Gitlab
+  module SecretDetection
+    module Core
+      class Ruleset
+        # file path where the secrets ruleset file is located
+        RULESET_FILE_PATH = File.expand_path('gitleaks.toml', __dir__)
+
+        def initialize(path: RULESET_FILE_PATH, logger: Logger.new($stdout))
+          @path = path
+          @logger = logger
+        end
+
+        def rules(force_fetch: false)
+          return @rule_data unless @rule_data.nil? || force_fetch
+
+          @rule_data = parse_ruleset
+        end
+
+        private
+
+        attr_reader :path, :logger
+
+        # parses given ruleset file and returns the parsed rules
+        def parse_ruleset
+          # rule_file_content = File.read(path)
+          rules_data = TomlRB.load_file(path, symbolize_keys: true).freeze
+          rules_data[:rules].freeze
+        rescue StandardError => e
+          logger.error "Failed to parse secret detection ruleset from '#{path}' path: #{e}"
+          raise Core::Scanner::RulesetParseError
+        end
+      end
+    end
+  end
+end

data/lib/gitlab/secret_detection/core/scanner.rb

@@ -0,0 +1,352 @@
+# frozen_string_literal: true
+
+require 're2'
+require 'logger'
+require 'timeout'
+require 'English'
+require 'parallel'
+
+module Gitlab
+  module SecretDetection
+    module Core
+      # Scan is responsible for running Secret Detection scan operation
+      class Scanner
+        # RulesetParseError is thrown when the code fails to parse the
+        # ruleset file from the given path
+        RulesetParseError = Class.new(StandardError)
+
+        # RulesetCompilationError is thrown when the code fails to compile
+        # the predefined rulesets
+        RulesetCompilationError = Class.new(StandardError)
+
+        # default time limit(in seconds) for running the scan operation per invocation
+        DEFAULT_SCAN_TIMEOUT_SECS = 180 # 3 minutes
+        # default time limit(in seconds) for running the scan operation on a single payload
+        DEFAULT_PAYLOAD_TIMEOUT_SECS = 30 # 30 seconds
+        # Tags used for creating default pattern matcher
+        DEFAULT_PATTERN_MATCHER_TAGS = ['gitlab_blocking'].freeze
+        # Max no of child processes to spawn per request
+        # ref: https://gitlab.com/gitlab-org/gitlab/-/issues/430160
+        MAX_PROCS_PER_REQUEST = 5
+        # Minimum cumulative size of the payloads required to spawn and
+        # run the scan within a new subprocess.
+        MIN_CHUNK_SIZE_PER_PROC_BYTES = 2_097_152 # 2MiB
+        # Whether to run scan in subprocesses or not. Default is false.
+        RUN_IN_SUBPROCESS = false
+
+        # Initializes the instance with logger along with following operations:
+        # 1. Extract keywords from the parsed ruleset to use it for matching keywords before regex operation.
+        # 2. Build and Compile rule regex patterns obtained from the ruleset with +DEFAULT_PATTERN_MATCHER_TAGS+
+        # tags. Raises +RulesetCompilationError+ in case the regex pattern compilation fails.
+        def initialize(rules:, logger: Logger.new($stdout))
+          @logger = logger
+          @rules = rules
+          @keywords = create_keywords(rules)
+          @default_keyword_matcher = build_keyword_matcher(
+            tags: DEFAULT_PATTERN_MATCHER_TAGS,
+            include_missing_tags: false
+          )
+          @default_pattern_matcher = build_pattern_matcher(
+            tags: DEFAULT_PATTERN_MATCHER_TAGS,
+            include_missing_tags: false
+          ) # includes only gitlab_blocking rules
+        end
+
+        # Runs Secret Detection scan on the list of given payloads. Both the total scan duration and
+        # the duration for each payload is time bound via +timeout+ and +payload_timeout+ respectively.
+        #
+        # +payloads+:: Array of payloads where each payload should have `id` and `data` properties.
+        # +timeout+:: No of seconds(accepts floating point for smaller time values) to limit the total scan duration
+        # +payload_timeout+:: No of seconds(accepts floating point for smaller time values) to limit
+        #                  the scan duration on each payload
+        # +raw_value_exclusions:+:: Array of raw values to exclude from the scan.
+        # +rule_exclusions+:: Array of rules to exclude from the ruleset used for the scan. Each rule is represented
+        #           by its ID. For example: `gitlab_personal_access_token` for representing Gitlab Personal Access
+        #           Token. By default, no rule is excluded from the ruleset.
+        # +tags+:: Array of tag values to filter from the default ruleset when determining the rules used for the scan.
+        #           For example: Add `gitlab_blocking` to include only rules for Push Protection. Defaults to
+        #           [`gitlab_blocking`] (+DEFAULT_PATTERN_MATCHER_TAGS+).
+        #
+        # NOTE:
+        # Running the scan in fork mode primarily focuses on reducing the memory consumption of the scan by
+        # offloading regex operations on large payloads to sub-processes. However, it does not assure the improvement
+        # in the overall latency of the scan, specifically in the case of smaller payloads, where the overhead of
+        # forking a new process adds to the overall latency of the scan instead. More reference on Subprocess-based
+        # execution is found here: https://gitlab.com/gitlab-org/gitlab/-/issues/430160.
+        #
+        # Returns an instance of Gitlab::SecretDetection::Core::Response by following below structure:
+        # {
+        #     status: One of the Core::Status values
+        #     results: [SecretDetection::Finding]
+        # }
+        #
+        def secrets_scan(
+          payloads,
+          timeout: DEFAULT_SCAN_TIMEOUT_SECS,
+          payload_timeout: DEFAULT_PAYLOAD_TIMEOUT_SECS,
+          raw_value_exclusions: [],
+          rule_exclusions: [],
+          tags: DEFAULT_PATTERN_MATCHER_TAGS,
+          subprocess: RUN_IN_SUBPROCESS
+        )
+
+          return Core::Response.new(Core::Status::INPUT_ERROR) unless validate_scan_input(payloads)
+
+          # assign defaults since grpc passing zero timeout value to `Timeout.timeout(..)` makes it effectively useless.
+          timeout = DEFAULT_SCAN_TIMEOUT_SECS unless timeout.positive?
+          payload_timeout = DEFAULT_PAYLOAD_TIMEOUT_SECS unless payload_timeout.positive?
+          tags = DEFAULT_PATTERN_MATCHER_TAGS if tags.empty?
+
+          Timeout.timeout(timeout) do
+            keyword_matcher = build_keyword_matcher(tags:)
+
+            matched_payloads = filter_by_keywords(keyword_matcher, payloads)
+
+            next Core::Response.new(Core::Status::NOT_FOUND) if matched_payloads.empty?
+
+            scan_args = {
+              payloads: matched_payloads, payload_timeout:,
+              pattern_matcher: build_pattern_matcher(tags:),
+              raw_value_exclusions:, rule_exclusions:
+            }
+
+            secrets = subprocess ? run_scan_within_subprocess(**scan_args) : run_scan(**scan_args)
+
+            scan_status = overall_scan_status(secrets)
+
+            Core::Response.new(scan_status, secrets)
+          end
+        rescue Timeout::Error => e
+          logger.error "Secret detection operation timed out: #{e}"
+
+          Core::Response.new(Core::Status::SCAN_TIMEOUT)
+        end
+
+        private
+
+        attr_reader :logger, :rules, :keywords, :default_pattern_matcher, :default_keyword_matcher
+
+        # Builds RE2::Set pattern matcher for the given combination of rules
+        # and tags. It also allows a choice(via `include_missing_tags`) to consider rules
+        # for pattern matching that do not have `tags` property defined. If the given tags
+        # are same as +DEFAULT_PATTERN_MATCHER_TAGS+ then returns the eagerly loaded default
+        # pattern matcher created during initialization.
+        def build_pattern_matcher(tags:, include_missing_tags: false)
+          return default_pattern_matcher if tags.eql?(DEFAULT_PATTERN_MATCHER_TAGS) && !default_pattern_matcher.nil?
+
+          matcher = RE2::Set.new
+
+          rules.each do |rule|
+            rule_tags = rule[:tags]
+
+            include_rule = if tags.empty?
+                             true
+                           elsif rule_tags
+                             tags.intersect?(rule_tags)
+                           else
+                             include_missing_tags
+                           end
+
+            matcher.add(rule[:regex]) if include_rule
+          end
+
+          unless matcher.compile
+            logger.error "Failed to compile secret detection rulesets in RE::Set"
+
+            raise RulesetCompilationError
+          end
+
+          matcher
+        end
+
+        # Creates and returns the unique set of rule matching keywords
+        def create_keywords(rules)
+          secrets_keywords = Set.new
+
+          rules.each do |rule|
+            secrets_keywords.merge rule[:keywords] unless rule[:keywords].nil?
+          end
+
+          secrets_keywords.freeze
+        end
+
+        def build_keyword_matcher(tags:, include_missing_tags: false)
+          return default_keyword_matcher if tags.eql?(DEFAULT_PATTERN_MATCHER_TAGS) && !default_keyword_matcher.nil?
+
+          include_keywords = Set.new
+
+          rules.each do |rule|
+            rule_tags = rule.fetch(:tags, [])
+
+            next if rule_tags.empty? && !include_missing_tags
+            next unless rule_tags.intersect?(tags)
+
+            include_keywords.merge(rule[:keywords]) unless rule[:keywords].nil?
+          end
+
+          return nil if include_keywords.empty?
+
+          keywords_regex = include_keywords.join('|')
+
+          RE2("\\b(#{keywords_regex})")
+        end
+
+        def filter_by_keywords(keyword_matcher, payloads)
+          return [] if keyword_matcher.nil?
+
+          matched_payloads = []
+          payloads.each do |payload|
+            next unless keyword_matcher.partial_match?(payload.data)
+
+            matched_payloads << payload
+          end
+
+          matched_payloads.freeze
+        end
+
+        # Runs the secret detection scan on the given list of payloads. It accepts
+        # literal values to exclude from the input before the scan, also SD rules to exclude during
+        # the scan when performed on the payloads.
+        def run_scan(
+          payloads:, payload_timeout:, pattern_matcher:, raw_value_exclusions: [], rule_exclusions: [])
+          payloads.flat_map do |payload|
+            Timeout.timeout(payload_timeout) do
+              find_secrets_in_payload(
+                payload:,
+                pattern_matcher:,
+                raw_value_exclusions:, rule_exclusions:
+              )
+            end
+          rescue Timeout::Error => e
+            logger.error "Secret Detection scan timed out on the payload(id:#{payload.id}): #{e}"
+            Core::Finding.new(payload.id,
+              Core::Status::PAYLOAD_TIMEOUT)
+          end
+        end
+
+        def run_scan_within_subprocess(
+          payloads:, payload_timeout:, pattern_matcher:, raw_value_exclusions: [],
+          rule_exclusions: [])
+          payload_sizes = payloads.map(&:size)
+          grouped_payload_indices = group_by_chunk_size(payload_sizes)
+
+          grouped_payloads = grouped_payload_indices.map { |idx_arr| idx_arr.map { |i| payloads[i] } }
+
+          found_secrets = Parallel.flat_map(
+            grouped_payloads,
+            in_processes: MAX_PROCS_PER_REQUEST,
+            isolation: true # do not reuse sub-processes
+          ) do |grouped_payload|
+            grouped_payload.flat_map do |payload|
+              Timeout.timeout(payload_timeout) do
+                find_secrets_in_payload(
+                  payload:,
+                  pattern_matcher:,
+                  raw_value_exclusions:, rule_exclusions:
+                )
+              end
+            rescue Timeout::Error => e
+              logger.error "Secret Detection scan timed out on the payload(id:#{payload.id}): #{e}"
+              Core::Finding.new(payload.id, Core::Status::PAYLOAD_TIMEOUT)
+            end
+          end
+
+          found_secrets.freeze
+        end
+
+        # Finds secrets in the given payload guarded with a timeout as a circuit breaker. It accepts
+        # literal values to exclude from the input before the scan, also SD rules to exclude during
+        # the scan.
+        def find_secrets_in_payload(payload:, pattern_matcher:, raw_value_exclusions: [], rule_exclusions: [])
+          findings = []
+
+          payload.data
+                 .each_line($INPUT_RECORD_SEPARATOR, chomp: true)
+                 .each_with_index do |line, index|
+            unless raw_value_exclusions.empty?
+              raw_value_exclusions.each do |value|
+                line.gsub!(value, '') # replace input that doesn't contain allowed value in it
+              end
+            end
+
+            next if line.empty?
+
+            line_no = index + 1
+
+            matches = pattern_matcher.match(line, exception: false) # returns indices of matched patterns
+
+            matches.each do |match_idx|
+              rule = rules[match_idx]
+
+              next if rule_exclusions.include?(rule[:id])
+
+              findings << Core::Finding.new(payload.id, Core::Status::FOUND, line_no, rule[:id], rule[:description])
+            end
+          end
+
+          findings.freeze
+        rescue StandardError => e
+          logger.error "Secret Detection scan failed on the payload(id:#{payload.id}): #{e}"
+
+          Core::Finding.new(payload.id, Core::Status::SCAN_ERROR)
+        end
+
+        # Validates the given payloads by verifying the type and
+        # presence of `id` and `data` fields necessary for the scan
+        def validate_scan_input(payloads)
+          return false if payloads.nil? || !payloads.instance_of?(Array)
+
+          payloads.all? do |payload|
+            payload.respond_to?(:id) && payload.respond_to?(:data)
+          end
+        end
+
+        # Returns the status of the overall scan request
+        # based on the detected secret findings found in the input payloads
+        def overall_scan_status(found_secrets)
+          return Core::Status::NOT_FOUND if found_secrets.empty?
+
+          timed_out_payloads = found_secrets.count { |el| el.status == Core::Status::PAYLOAD_TIMEOUT }
+
+          case timed_out_payloads
+          when 0
+            Core::Status::FOUND
+          when found_secrets.length
+            Core::Status::SCAN_TIMEOUT
+          else
+            Core::Status::FOUND_WITH_ERRORS
+          end
+        end
+
+        # This method accepts an array of payload sizes(in bytes) and groups them into an array
+        # of arrays structure where each element is the group of indices of the input
+        # array whose cumulative payload sizes has at least +MIN_CHUNK_SIZE_PER_PROC_BYTES+
+        def group_by_chunk_size(payload_size_arr)
+          cumulative_size = 0
+          chunk_indexes = []
+          chunk_idx_start = 0
+
+          payload_size_arr.each_with_index do |size, index|
+            cumulative_size += size
+            next unless cumulative_size >= MIN_CHUNK_SIZE_PER_PROC_BYTES
+
+            chunk_indexes << (chunk_idx_start..index).to_a
+
+            chunk_idx_start = index + 1
+            cumulative_size = 0
+          end
+
+          if cumulative_size.positive? && (chunk_idx_start < payload_size_arr.length)
+            chunk_indexes << if chunk_idx_start == payload_size_arr.length - 1
+                               [chunk_idx_start]
+                             else
+                               (chunk_idx_start..payload_size_arr.length - 1).to_a
+                             end
+          end
+
+          chunk_indexes
+        end
+      end
+    end
+  end
+end

data/lib/gitlab/secret_detection/core/status.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module SecretDetection
+    module Core
+      # All the possible statuses emitted by the scan operation
+      class Status
+        FOUND = 1 # When scan operation completes with one or more findings
+        FOUND_WITH_ERRORS = 2 # When scan operation completes with one or more findings along with some errors
+        SCAN_TIMEOUT = 3 # When the scan operation runs beyond given time out
+        PAYLOAD_TIMEOUT = 4 # When the scan operation on a payload runs beyond given time out
+        SCAN_ERROR = 5 # When the scan operation fails due to regex error
+        INPUT_ERROR = 6 # When the scan operation fails due to invalid input
+        NOT_FOUND = 7 # When scan operation completes with zero findings
+        AUTH_ERROR = 8 # When authentication fails
+      end
+    end
+  end
+end

data/lib/gitlab/secret_detection/core.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require_relative 'core/finding'
+require_relative 'core/response'
+require_relative 'core/status'
+require_relative 'core/scanner'
+require_relative 'core/ruleset'
+
+module Gitlab
+  module SecretDetection
+    module Core
+    end
+  end
+end

data/lib/gitlab/secret_detection/grpc/client/grpc_client.rb

@@ -0,0 +1,145 @@
+# frozen_string_literal: true
+
+require 'grpc'
+require_relative '../../grpc/scanner_service'
+require_relative '../../core/response'
+require_relative '../../core/status'
+require_relative '../../utils'
+require_relative './stream_request_enumerator'
+
+module Gitlab
+  module SecretDetection
+    module GRPC
+      class Client
+        include SecretDetection::Utils::StrongMemoize
+        include SDLogger
+
+        # Time to wait for the response from the service
+        REQUEST_TIMEOUT_SECONDS = 10 # 10 seconds
+
+        def initialize(host, secure: false, compression: true)
+          @host = host
+          @secure = secure
+          @compression = compression
+        end
+
+        # Triggers Secret Detection service's `/Scan` gRPC endpoint. To keep it consistent with SDS gem interface,
+        # this method transforms the gRPC response to +Gitlab::SecretDetection::Core::Response+.
+        # Furthermore, any errors that are raised by the service will be translated to
+        # +Gitlab::SecretDetection::Core::Response+ type by assiging a appropriate +status+ value to it.
+        def run_scan(request:, auth_token:, extra_headers: {})
+          with_rescued_errors do
+            grpc_response = stub.scan(
+              request,
+              metadata: build_metadata(auth_token, extra_headers),
+              deadline: request_deadline
+            )
+
+            convert_to_core_response(grpc_response)
+          end
+        end
+
+        # Triggers Secret Detection service's `/ScanStream` gRPC endpoint.
+        #
+        # To keep it consistent with SDS gem interface, this method transforms the gRPC response to
+        # +Gitlab::SecretDetection::Core::Response+ type. Furthermore, any errors that are raised by the service will be
+        # translated to +Gitlab::SecretDetection::Core::Response+ type by assiging a appropriate +status+ value to it.
+        #
+        # Note: If one of the stream requests result in an error, the stream will end immediately without processing the
+        # remaining requests.
+        def run_scan_stream(requests:, auth_token:, extra_headers: {})
+          request_stream = Gitlab::SecretDetection::GRPC::StreamRequestEnumerator.new(requests)
+          results = []
+          with_rescued_errors do
+            stub.scan_stream(
+              request_stream.each_item,
+              metadata: build_metadata(auth_token, extra_headers),
+              deadline: request_deadline
+            ).each do |grpc_response|
+              response = convert_to_core_response(grpc_response)
+              if block_given?
+                yield response
+              else
+                results << response
+              end
+            end
+            results
+          end
+        end
+
+        private
+
+        attr_reader :secure, :host, :compression
+
+        def stub
+          Gitlab::SecretDetection::GRPC::Scanner::Stub.new(
+            host,
+            channel_credentials,
+            channel_args:
+          )
+        end
+
+        strong_memoize_attr :stub
+
+        def channel_args
+          default_options = {
+            'grpc.keepalive_permit_without_calls' => 1,
+            'grpc.keepalive_time_ms' => 30000, # 30 seconds
+            'grpc.keepalive_timeout_ms' => 10000 # 10 seconds timeout for keepalive response
+          }
+
+          compression_options = ::GRPC::Core::CompressionOptions
+                                  .new(default_algorithm: :gzip)
+                                  .to_channel_arg_hash
+
+          default_options.merge!(compression_options) if compression
+
+          default_options.freeze
+        end
+
+        def channel_credentials
+          return :this_channel_is_insecure unless secure
+
+          certs = Gitlab::SecretDetection::Utils::X509::Certificate.ca_certs_bundle
+
+          ::GRPC::Core::ChannelCredentials.new(certs)
+        end
+
+        def build_metadata(token, extra_headers = {})
+          { 'x-sd-auth' => token }.merge!(extra_headers).freeze
+        end
+
+        def request_deadline
+          Time.now + REQUEST_TIMEOUT_SECONDS
+        end
+
+        def with_rescued_errors
+          yield
+        rescue ::GRPC::Unauthenticated
+          SecretDetection::Core::Response.new(SecretDetection::Core::Status::AUTH_ERROR)
+        rescue ::GRPC::InvalidArgument => e
+          SecretDetection::Core::Response.new(
+            SecretDetection::Core::Status::INPUT_ERROR, nil, { message: e.details, **e.metadata }
+          )
+        rescue ::GRPC::Unknown, ::GRPC::BadStatus => e
+          SecretDetection::Core::Response.new(
+            SecretDetection::Core::Status::SCAN_ERROR, nil, { message: e.details }
+          )
+        end
+
+        def convert_to_core_response(grpc_response)
+          response = grpc_response.to_h
+
+          SecretDetection::Core::Response.new(
+            response[:status],
+            response[:results],
+            response[:metadata]
+          )
+        rescue StandardError => e
+          logger.error("Failed to convert to core response: #{e}")
+          SecretDetection::Core::Response.new(SecretDetection::Core::Status::SCAN_ERROR)
+        end
+      end
+    end
+  end
+end

data/lib/gitlab/secret_detection/grpc/client/stream_request_enumerator.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module SecretDetection
+    module GRPC
+      class StreamRequestEnumerator
+        def initialize(requests = [])
+          @requests = requests
+        end
+
+        # yields a request, waiting between 0 and 1 seconds between requests
+        #
+        # @return an Enumerable that yields a request input
+        def each_item
+          return enum_for(:each_item) unless block_given?
+
+          @requests.each do |request|
+            yield request
+          end
+        end
+      end
+    end
+  end
+end

data/lib/gitlab/secret_detection/grpc/generated/secret_detection_pb.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: secret_detection.proto
+
+require 'google/protobuf'
+
+
+descriptor_data = "\n\x16secret_detection.proto\x12\x17gitlab.secret_detection\"\xfc\x03\n\x0bScanRequest\x12>\n\x08payloads\x18\x01 \x03(\x0b\x32,.gitlab.secret_detection.ScanRequest.Payload\x12\x19\n\x0ctimeout_secs\x18\x02 \x01(\x02H\x00\x88\x01\x01\x12!\n\x14payload_timeout_secs\x18\x03 \x01(\x02H\x01\x88\x01\x01\x12\x42\n\nexclusions\x18\x04 \x03(\x0b\x32..gitlab.secret_detection.ScanRequest.Exclusion\x12\x0c\n\x04tags\x18\x05 \x03(\t\x1a#\n\x07Payload\x12\n\n\x02id\x18\x01 \x01(\t\x12\x0c\n\x04\x64\x61ta\x18\x02 \x01(\t\x1a\x66\n\tExclusion\x12J\n\x0e\x65xclusion_type\x18\x01 \x01(\x0e\x32\x32.gitlab.secret_detection.ScanRequest.ExclusionType\x12\r\n\x05value\x18\x02 \x01(\t\"f\n\rExclusionType\x12\x1e\n\x1a\x45XCLUSION_TYPE_UNSPECIFIED\x10\x00\x12\x17\n\x13\x45XCLUSION_TYPE_RULE\x10\x01\x12\x1c\n\x18\x45XCLUSION_TYPE_RAW_VALUE\x10\x02\x42\x0f\n\r_timeout_secsB\x17\n\x15_payload_timeout_secs\"\xe2\x03\n\x0cScanResponse\x12>\n\x07results\x18\x01 \x03(\x0b\x32-.gitlab.secret_detection.ScanResponse.Finding\x12\x0e\n\x06status\x18\x02 \x01(\x05\x1a\x9d\x01\n\x07\x46inding\x12\x12\n\npayload_id\x18\x01 \x01(\t\x12\x0e\n\x06status\x18\x02 \x01(\x05\x12\x11\n\x04type\x18\x03 \x01(\tH\x00\x88\x01\x01\x12\x18\n\x0b\x64\x65scription\x18\x04 \x01(\tH\x01\x88\x01\x01\x12\x18\n\x0bline_number\x18\x05 \x01(\x05H\x02\x88\x01\x01\x42\x07\n\x05_typeB\x0e\n\x0c_descriptionB\x0e\n\x0c_line_number\"\xe1\x01\n\x06Status\x12\x16\n\x12STATUS_UNSPECIFIED\x10\x00\x12\x10\n\x0cSTATUS_FOUND\x10\x01\x12\x1c\n\x18STATUS_FOUND_WITH_ERRORS\x10\x02\x12\x17\n\x13STATUS_SCAN_TIMEOUT\x10\x03\x12\x1a\n\x16STATUS_PAYLOAD_TIMEOUT\x10\x04\x12\x15\n\x11STATUS_SCAN_ERROR\x10\x05\x12\x16\n\x12STATUS_INPUT_ERROR\x10\x06\x12\x14\n\x10STATUS_NOT_FOUND\x10\x07\x12\x15\n\x11STATUS_AUTH_ERROR\x10\x08\x32\xc1\x01\n\x07Scanner\x12U\n\x04Scan\x12$.gitlab.secret_detection.ScanRequest\x1a%.gitlab.secret_detection.ScanResponse\"\x00\x12_\n\nScanStream\x12$.gitlab.secret_detection.ScanRequest\x1a%.gitlab.secret_detection.ScanResponse\"\x00(\x01\x30\x01\x42 \xea\x02\x1dGitlab::SecretDetection::GRPCb\x06proto3"
+
+pool = Google::Protobuf::DescriptorPool.generated_pool
+pool.add_serialized_file(descriptor_data)
+
+module Gitlab
+  module SecretDetection
+    module GRPC
+      ScanRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("gitlab.secret_detection.ScanRequest").msgclass
+      ScanRequest::Payload = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("gitlab.secret_detection.ScanRequest.Payload").msgclass
+      ScanRequest::Exclusion = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("gitlab.secret_detection.ScanRequest.Exclusion").msgclass
+      ScanRequest::ExclusionType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("gitlab.secret_detection.ScanRequest.ExclusionType").enummodule
+      ScanResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("gitlab.secret_detection.ScanResponse").msgclass
+      ScanResponse::Finding = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("gitlab.secret_detection.ScanResponse.Finding").msgclass
+      ScanResponse::Status = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("gitlab.secret_detection.ScanResponse.Status").enummodule
+    end
+  end
+end