gitlab-secret_detection 0.19.0 → 0.20.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 24a3afdfa8519bd53576f9fe18ffffc12d9ed32d80e27610d03300666423e8a7
-  data.tar.gz: f7b000df1c5c6e712e528f388a44506f3cfce79bd6044de44ad106087f59d52f
+  metadata.gz: 8cd95dc817999bb641642ef12f37c72cdf877e417caf728752e5d61cbae1bcd2
+  data.tar.gz: 42d9ce659069690870f07310bc35d8e41aab5accc23f2d8a5eac094bac9e6bbe
 SHA512:
-  metadata.gz: 4ca94bc1d02d099c7f7404b321abbc1bf7be811112e564dc44c1256b42e5aeea6d4ab207280d0ccb88ef2c62f7f17eb3fbb47f6eadc717ef5cd33f4e66cf5e26
-  data.tar.gz: f8815666aa5ff2f129c40eb42814449d9201755a91ee2b4f3bb33b48bbe3364a9e3d78b36ec8adf2fdd94e51a03d448d9d36fbf12326f4312a14cb31843bdb96
+  metadata.gz: ed2fc3c749afe3be21fe16d1f05fd1d16511dd20a7bd77594b707bd99248ee96ed3c2fafc2e0ade16cbad99f7265ea0b8941d3021547b4c4d9f4363bfad31965
+  data.tar.gz: f2a8d9e25d2ccf3a1f35afa23dffd01a21871d895f9bd0f7a4daffd430391067eabe305db230a575cdda41975eb926fa8c50a84914ab3d26b33d2703e58f597a

data/README.md

@@ -62,20 +62,21 @@ the approach:
 
 Usage `make <command>`
 
-| Command             | Description                                                                                                                     |
-|---------------------|---------------------------------------------------------------------------------------------------------------------------------|
-| `install_secret_detection_rules` | Downloads secret-detection-rules based on package version defined in RULES_VERSION                                 |
-| `install`           | Installs ruby gems in the project using Ruby bundler                                                                            |
-| `lint_fix`          | Fixes all the fixable Rubocop lint offenses                                                                                     |
-| `gem_clean`         | Cleans existing gem file(if any) generated through gem build process                                                            |
-| `gem_build`         | Builds Ruby gem file wrapping secret detection logic (lib directory)                                                            |
-| `generate_proto`    | Generates ruby(.rb) files for the Protobud Service Definition files(.proto)                                                     |
-| `grpc_docker_build` | Builds a docker container image for gRPC server                                                                                 |
-| `grpc_docker_serve` | Runs gRPC server via docker container listening on port 8080. Run `grpc_docker_build` make command before running this command. |
-| `grpc_serve`        | Runs gRPC server on the CLI listening on port 50001. Run `install` make command before running this command.                    |
-| `run_core_tests`    | Runs RSpec tests for Secret Detection core logic                                                                                |
-| `run_grpc_tests`    | Runs RSpec tests for Secret Detection gRPC endpoints                                                                            |
-| `run_all_tests`     | Runs all the RSpec tests in the project                                                                                         |
+| Command                          | Description                                                                                                                     |
+|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------|
+| `install_secret_detection_rules` | Downloads secret-detection-rules based on package version defined in RULES_VERSION                                              |
+| `install`                        | Installs ruby gems in the project using Ruby bundler                                                                            |
+| `lint_fix`                       | Fixes all the fixable Rubocop lint offenses                                                                                     |
+| `gem_clean`                      | Cleans existing gem file(if any) generated through gem build process                                                            |
+| `gem_build`                      | Builds Ruby gem file wrapping secret detection logic (lib directory)                                                            |
+| `generate_proto`                 | Generates ruby(.rb) files for the Protobud Service Definition files(.proto)                                                     |
+| `grpc_docker_build`              | Builds a docker container image for gRPC server                                                                                 |
+| `grpc_docker_serve`              | Runs gRPC server via docker container listening on port 8080. Run `grpc_docker_build` make command before running this command. |
+| `grpc_serve`                     | Runs gRPC server on the CLI listening on port 50001. Run `install` make command before running this command.                    |
+| `run_core_tests`                 | Runs RSpec tests for Secret Detection core logic                                                                                |
+| `run_grpc_tests`                 | Runs RSpec tests for Secret Detection gRPC endpoints                                                                            |
+| `run_utils_tests`                | Runs RSpec tests for Secret Detection utilities                                                                                 |
+| `run_all_tests`                  | Runs all the RSpec tests in the project                                                                                         |
 
 
 ## Secret Detection Rules

data/lib/gitlab/secret_detection/core/ruleset.rb

@@ -7,6 +7,14 @@ module Gitlab
   module SecretDetection
     module Core
       class Ruleset
+        # RulesetParseError is thrown when the code fails to parse the
+        # ruleset file from the given path
+        RulesetParseError = Class.new(StandardError)
+
+        # RulesetCompilationError is thrown when the code fails to compile
+        # the predefined rulesets
+        RulesetCompilationError = Class.new(StandardError)
+
         # file path where the secrets ruleset file is located
         RULESET_FILE_PATH = File.expand_path('secret_push_protection_rules.toml', __dir__)
 
@@ -21,17 +29,36 @@ module Gitlab
           @rule_data = parse_ruleset
         end
 
+        def extract_ruleset_version
+          @ruleset_version ||= if File.readable?(RULESET_FILE_PATH)
+                                 first_line = File.open(RULESET_FILE_PATH, &:gets)
+                                 first_line&.split(":")&.[](1)&.strip
+                               end
+        rescue StandardError => e
+          logger.error(message: "Failed to extract Secret Detection Ruleset version from ruleset file: #{e.message}")
+        end
+
         private
 
         attr_reader :path, :logger
 
         # parses given ruleset file and returns the parsed rules
         def parse_ruleset
-          # rule_file_content = File.read(path)
+          logger.info(
+            message: "Parsing local ruleset file",
+            ruleset_path: RULESET_FILE_PATH
+          )
           rules_data = TomlRB.load_file(path, symbolize_keys: true).freeze
+          ruleset_version = extract_ruleset_version
+
+          logger.info(
+            message: "Ruleset details fetched for running Secret Detection scan",
+            total_rules: rules_data[:rules]&.length,
+            ruleset_version:
+          )
           rules_data[:rules].freeze
         rescue StandardError => e
-          logger.error "Failed to parse secret detection ruleset from '#{path}' path: #{e}"
+          logger.error(message: "Failed to parse local secret detection ruleset: #{e.message}")
           raise Core::Scanner::RulesetParseError, e
         end
       end

data/lib/gitlab/secret_detection/core/scanner.rb

@@ -11,14 +11,6 @@ module Gitlab
     module Core
       # Scan is responsible for running Secret Detection scan operation
       class Scanner
-        # RulesetParseError is thrown when the code fails to parse the
-        # ruleset file from the given path
-        RulesetParseError = Class.new(StandardError)
-
-        # RulesetCompilationError is thrown when the code fails to compile
-        # the predefined rulesets
-        RulesetCompilationError = Class.new(StandardError)
-
         # default time limit(in seconds) for running the scan operation per invocation
         DEFAULT_SCAN_TIMEOUT_SECS = 180 # 3 minutes
         # default time limit(in seconds) for running the scan operation on a single payload
@@ -91,7 +83,6 @@ module Gitlab
           tags: DEFAULT_PATTERN_MATCHER_TAGS,
           subprocess: RUN_IN_SUBPROCESS
         )
-
           return Core::Response.new(status: Core::Status::INPUT_ERROR) unless validate_scan_input(payloads)
 
           # assign defaults since grpc passing zero timeout value to `Timeout.timeout(..)` makes it effectively useless.
@@ -111,12 +102,29 @@ module Gitlab
               payload_timeout:,
               pattern_matcher: build_pattern_matcher(tags:),
               exclusions:
-            }
+            }.freeze
+
+            logger.info(
+              message: "Scan input parameters for running Secret Detection scan",
+              timeout:,
+              payload_timeout:,
+              given_total_payloads: payloads.length,
+              scannable_payloads_post_keyword_filter: matched_payloads.length,
+              tags:,
+              run_in_subprocess: subprocess,
+              given_exclusions: format_exclusions_hash(exclusions)
+            )
 
             secrets, applied_exclusions = subprocess ? run_scan_within_subprocess(**scan_args) : run_scan(**scan_args)
 
             scan_status = overall_scan_status(secrets)
 
+            logger.info(
+              message: "Secret Detection scan completed with #{secrets.length} secrets detected in the given payloads",
+              detected_secrets_metadata: format_detected_secrets_metadata(secrets),
+              applied_exclusions: format_exclusions_arr(applied_exclusions)
+            )
+
             Core::Response.new(status: scan_status, results: secrets, applied_exclusions:)
           end
         rescue Timeout::Error => e
@@ -135,7 +143,18 @@ module Gitlab
         # are same as +DEFAULT_PATTERN_MATCHER_TAGS+ then returns the eagerly loaded default
         # pattern matcher created during initialization.
         def build_pattern_matcher(tags:, include_missing_tags: false)
-          return default_pattern_matcher if tags.eql?(DEFAULT_PATTERN_MATCHER_TAGS) && !default_pattern_matcher.nil?
+          if tags.eql?(DEFAULT_PATTERN_MATCHER_TAGS) && !default_pattern_matcher.nil?
+            logger.info(
+              message: "Given tags input matches default matcher tags, using pre-defined RE2 Pattern Matcher"
+            )
+            return default_pattern_matcher
+          end
+
+          logger.info(
+            message: "Creating a new RE2 Pattern Matcher with given tags",
+            tags:,
+            include_missing_tags:
+          )
 
           matcher = RE2::Set.new
 
@@ -154,9 +173,9 @@ module Gitlab
           end
 
           unless matcher.compile
-            logger.error "Failed to compile secret detection rulesets in RE::Set"
+            logger.error "Failed to compile secret detection ruleset in RE::Set"
 
-            raise RulesetCompilationError
+            raise Core::Ruleset::RulesetCompilationError
           end
 
           matcher
@@ -174,7 +193,18 @@ module Gitlab
         end
 
         def build_keyword_matcher(tags:, include_missing_tags: false)
-          return default_keyword_matcher if tags.eql?(DEFAULT_PATTERN_MATCHER_TAGS) && !default_keyword_matcher.nil?
+          if tags.eql?(DEFAULT_PATTERN_MATCHER_TAGS) && !default_keyword_matcher.nil?
+            logger.info(
+              message: "Given tags input matches default tags, using pre-defined RE2 Keyword Matcher"
+            )
+            return default_keyword_matcher
+          end
+
+          logger.info(
+            message: "Creating a new RE2 Keyword Matcher..",
+            tags:,
+            include_missing_tags:
+          )
 
           include_keywords = Set.new
 
@@ -187,15 +217,28 @@ module Gitlab
             include_keywords.merge(rule[:keywords]) unless rule[:keywords].nil?
           end
 
-          return nil if include_keywords.empty?
+          if include_keywords.empty?
+            logger.error(
+              message: "No rule keywords found a match with given rule tags, returning empty RE2 Keyword Matcher"
+            )
+            return nil
+          end
 
           keywords_regex = include_keywords.join('|')
 
+          logger.debug(
+            message: "Creating RE2 Keyword Matcher with set of rule keywords",
+            keywords: include_keywords.to_a
+          )
+
           RE2("\\b(#{keywords_regex})")
         end
 
         def filter_by_keywords(keyword_matcher, payloads)
-          return [] if keyword_matcher.nil?
+          if keyword_matcher.nil?
+            logger.warn "No RE2 Keyword Matcher instance available, skipping payload filter by rule keywords step.."
+            return payloads
+          end
 
           matched_payloads = []
           payloads.each do |payload|
@@ -204,6 +247,20 @@ module Gitlab
             matched_payloads << payload
           end
 
+          total_payloads_retained = matched_payloads.length == payloads.length ? 'all' : matched_payloads.length
+          log_message = if matched_payloads.empty?
+                          "No payloads available to scan further after keyword-matching, exiting Secret Detection scan"
+                        else
+                          "Retained #{total_payloads_retained} payloads to scan further after keyword-matching step"
+                        end
+
+          logger.info(
+            message: log_message,
+            given_total_payloads: payloads.length,
+            matched_payloads: matched_payloads.length,
+            payloads_to_scan_further: matched_payloads.map(&:id)
+          )
+
           matched_payloads
         end
 
@@ -218,6 +275,11 @@ module Gitlab
         )
           all_applied_exclusions = Set.new
 
+          logger.info(
+            message: "Running Secret Detection scan sequentially",
+            payload_timeout:
+          )
+
           all_findings = payloads.flat_map do |payload|
             Timeout.timeout(payload_timeout) do
               findings, applied_exclusions = find_secrets_in_payload(
@@ -229,7 +291,7 @@ module Gitlab
               findings
             end
           rescue Timeout::Error => e
-            logger.error "Secret Detection scan timed out on the payload(id:#{payload.id}): #{e}"
+            logger.warn "Secret Detection scan timed out on the payload(id:#{payload.id}): #{e}"
 
             Core::Finding.new(payload.id,
               Core::Status::PAYLOAD_TIMEOUT)
@@ -249,6 +311,12 @@ module Gitlab
 
           grouped_payloads = grouped_payload_indices.map { |idx_arr| idx_arr.map { |i| payloads[i] } }
 
+          logger.info(
+            message: "Running Secret Detection scan within a subprocess",
+            grouped_payloads: grouped_payloads.length,
+            payload_timeout:
+          )
+
           found_secrets = Parallel.flat_map(
             grouped_payloads,
             in_processes: MAX_PROCS_PER_REQUEST,
@@ -265,7 +333,7 @@ module Gitlab
                 findings
               end
             rescue Timeout::Error => e
-              logger.error "Secret Detection scan timed out on the payload(id:#{payload.id}): #{e}"
+              logger.warn "Secret Detection scan timed out on the payload(id:#{payload.id}): #{e}"
 
               Core::Finding.new(payload.id, Core::Status::PAYLOAD_TIMEOUT)
             end
@@ -291,8 +359,10 @@ module Gitlab
                  .each_with_index do |line, index|
             unless raw_value_exclusions.empty?
               raw_value_exclusions.each do |exclusion|
-                line.gsub!(exclusion.value, '') # replace input that doesn't contain allowed value in it
-                applied_exclusions << exclusion
+                # replace input that doesn't contain allowed value in it
+                # replace exclusion value, `.gsub!` returns 'self' if replaced otherwise 'nil'
+                excl_replaced = !!line.gsub!(exclusion.value, '')
+                applied_exclusions << exclusion if excl_replaced
               end
             end
 
@@ -323,6 +393,13 @@ module Gitlab
             end
           end
 
+          logger.info(
+            message: "Secret Detection scan found #{findings.length} secret leaks in the payload(id:#{payload.id})",
+            payload_id: payload.id,
+            detected_rules: findings.map { |f| "#{f.type}:#{f.line_number}" },
+            applied_exclusions: format_exclusions_arr(applied_exclusions)
+          )
+
           [findings, applied_exclusions]
         rescue StandardError => e
           logger.error "Secret Detection scan failed on the payload(id:#{payload.id}): #{e}"
@@ -338,10 +415,20 @@ module Gitlab
         # Validates the given payloads by verifying the type and
         # presence of `id` and `data` fields necessary for the scan
         def validate_scan_input(payloads)
-          return false if payloads.nil? || !payloads.instance_of?(Array)
+          if payloads.nil? || !payloads.instance_of?(Array)
+            logger.debug(message: "Scan input validation error: payloads arg is empty or not instance of array")
+            return false
+          end
 
           payloads.all? do |payload|
-            payload.respond_to?(:id) && payload.respond_to?(:data)
+            has_valid_fields = payload.respond_to?(:id) && payload.respond_to?(:data)
+            unless has_valid_fields
+              logger.debug(
+                message: "Scan input validation error: one of the payloads does not respond to `id` or `data`"
+              )
+            end
+
+            has_valid_fields
           end
         end
 
@@ -390,6 +477,75 @@ module Gitlab
 
           chunk_indexes
         end
+
+        # Returns array of strings with each representing a masked exclusion
+        #
+        # Example: For given arg exclusions = {
+        #     rule: ["gitlab_personal_access_token", "aws_key"],
+        #     path: ["test.py"],
+        #     raw_value: ["ABC123XYZ"]
+        # }
+        #
+        # The output will look like the following:
+        # [
+        #   "rule=gitlab_personal_access_token,aws_key",
+        #   "raw_value=AB*****YZ",
+        #   "paths=test.py"
+        # ]
+        def format_exclusions_hash(exclusions = {})
+          masked_raw_values = exclusions.fetch(:raw_value, []).map do |exclusion|
+            Gitlab::SecretDetection::Utils::Masker.mask_secret(exclusion.value)
+          end.join(", ")
+          paths = exclusions.fetch(:path, []).map(&:value).join(", ")
+          rules = exclusions.fetch(:rule, []).map(&:value).join(", ")
+
+          out = []
+
+          out << "rules=#{rules}" unless rules.empty?
+          out << "raw_values=#{masked_raw_values}" unless masked_raw_values.empty?
+          out << "paths=#{paths}" unless paths.empty?
+
+          out
+        end
+
+        def format_exclusions_arr(exclusions = [])
+          return [] if exclusions.empty?
+
+          masked_raw_values = Set.new
+          paths = Set.new
+          rules = Set.new
+
+          exclusions.each do |exclusion|
+            case exclusion.exclusion_type
+            when :EXCLUSION_TYPE_RAW_VALUE
+              masked_raw_values << Gitlab::SecretDetection::Utils::Masker.mask_secret(exclusion.value)
+            when :EXCLUSION_TYPE_RULE
+              rules << exclusion.value
+            when :EXCLUSION_TYPE_PATH
+              paths << exclusion.value
+            else
+              logger.warn("Unknown exclusion type #{exclusion.exclusion_type}")
+            end
+          end
+
+          out = []
+
+          out << "rules=#{rules.join(',')}" unless rules.empty?
+          out << "raw_values=#{masked_raw_values.join(',')}" unless masked_raw_values.empty?
+          out << "paths=#{paths.join(',')}" unless paths.empty?
+
+          out
+        end
+
+        def format_detected_secrets_metadata(findings = [])
+          return [] if findings.empty?
+
+          found_secrets = findings.filter do |f|
+            f.status == Core::Status::FOUND
+          end
+
+          found_secrets.map { |f| "#{f.payload_id}=>#{f.type}:#{f.line_number}" }
+        end
       end
     end
   end

data/lib/gitlab/secret_detection/grpc/integrated_error_tracking.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require 'sentry-ruby'
+
+require_relative '../../../../lib/gitlab/secret_detection/core/ruleset'
+
+module Gitlab
+  module SecretDetection
+    module GRPC
+      module IntegratedErrorTracking
+        extend self
+
+        def track_exception(exception, args = {})
+          unless Sentry.initialized?
+            logger.warn(message: "Cannot track exception in Error Tracking as Sentry is not initialized")
+            return
+          end
+
+          args[:ruleset_version] = ruleset_version
+
+          Sentry.capture_exception(exception, **args)
+        end
+
+        def setup(logger: Logger.new($stdout))
+          if Sentry.initialized?
+            logger.warn(message: "Sentry is already initialized, skipping re-setup")
+            return
+          end
+
+          logger.info(message: "Initializing Sentry SDK for Integrated Error Tracking..")
+
+          unless can_setup_sentry?
+            logger.warn(message: "Integrated Error Tracking not available, skipping Sentry SDK initialization")
+            return false
+          end
+
+          Sentry.init do |config|
+            config.dsn = ENV.fetch('SD_TRACKING_DSN')
+            config.environment = ENV.fetch('SD_ENV')
+            config.release = Gitlab::SecretDetection::Gem::VERSION
+            config.send_default_pii = true
+            config.send_modules = false
+            config.traces_sample_rate = 0.2 if ENV.fetch('ENABLE_SENTRY_PERFORMANCE_MONITORING', 'false') == 'true'
+          end
+
+          Sentry.set_context('ruleset', { version: ruleset_version })
+
+          true
+        rescue StandardError => e
+          logger.error(message: "Failed to initialize Sentry SDK for Integrated Error Tracking: #{e}")
+          raise e
+        end
+
+        def ruleset_version
+          @ruleset_version ||= Gitlab::SecretDetection::Core::Ruleset.new.extract_ruleset_version || 'unknown'
+        end
+
+        def can_setup_sentry?
+          ENV.fetch('SD_ENV', '') == 'production' && ENV.fetch('SD_TRACKING_DSN', '') != ''
+        end
+      end
+    end
+  end
+end

data/lib/gitlab/secret_detection/grpc/scanner_service.rb

@@ -32,6 +32,7 @@ module Gitlab
     module GRPC
       class ScannerService < Scanner::Service
         include SDLogger
+        include IntegratedErrorTracking
 
         # Maximum timeout value that can be given as the input. This guards
         # against the misuse of timeouts.
@@ -45,19 +46,34 @@ module Gitlab
         }.freeze
 
         # Implementation for /Scan RPC method
-        def scan(request, _call)
-          scan_request_action(request)
+        def scan(request, call)
+          scan_request_action(request, call)
         end
 
         # Implementation for /ScanStream RPC method
-        def scan_stream(requests, _call)
-          request_action = ->(r) { scan_request_action(r) }
+        def scan_stream(requests, call)
+          request_action = ->(r) { scan_request_action(r, call) }
           StreamEnumerator.new(requests, request_action).each_item
         end
 
         private
 
-        def scan_request_action(request)
+        def scan_request_action(request, call)
+          if request.nil?
+            logger.error(
+              message: "FATAL: Secret Detection gRPC scan request is `nil`",
+              deadline: call.deadline,
+              cancelled: call.cancelled?
+            )
+            return Gitlab::SecretDetection::GRPC::ScanResponse.new(
+              results: [],
+              status: Gitlab::SecretDetection::GRPC::ScanResponse::Status::STATUS_INPUT_ERROR,
+              applied_exclusions: []
+            )
+          end
+
+          logger.info(message: "Secret Detection gRPC scan request received")
+
           validate_request(request)
 
           payloads = request.payloads.to_a
@@ -66,7 +82,7 @@ module Gitlab
           request.exclusions.each do |exclusion|
             case exclusion.exclusion_type
             when :EXCLUSION_TYPE_RAW_VALUE
-              exclusions[:raw] << exclusion
+              exclusions[:raw_value] << exclusion
             when :EXCLUSION_TYPE_RULE
               exclusions[:rule] << exclusion
             when :EXCLUSION_TYPE_PATH
@@ -85,7 +101,8 @@ module Gitlab
               payload_timeout: request.payload_timeout_secs
             )
           rescue StandardError => e
-            logger.error("Failed to run the scan: #{e}")
+            logger.error(message: "Failed to run the secret detection scan", exception: e.message)
+            track_exception(e)
             raise ::GRPC::Unknown, e.message
           end
 

data/lib/gitlab/secret_detection/grpc.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require_relative 'grpc/integrated_error_tracking'
 require_relative 'grpc/scanner_service'
 require_relative 'grpc/client/stream_request_enumerator'
 require_relative 'grpc/client/grpc_client'

data/lib/gitlab/secret_detection/utils/masker.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module SecretDetection
+    module Utils
+      class Masker
+        DEFAULT_VISIBLE_CHAR_COUNT = 3
+        DEFAULT_MASK_CHAR_COUNT = 5
+        DEFAULT_MASK_CHAR = '*'
+
+        class << self
+          def mask_secret(
+            raw_secret_value,
+            mask_char: DEFAULT_MASK_CHAR,
+            visible_chars_count: DEFAULT_VISIBLE_CHAR_COUNT,
+            mask_chars_count: DEFAULT_MASK_CHAR_COUNT
+          )
+            return '' if raw_secret_value.nil? || raw_secret_value.empty?
+            return raw_secret_value if raw_secret_value.length <= visible_chars_count # Too short to mask
+
+            chars = raw_secret_value.chars
+            position = 0
+
+            while position < chars.length
+              # Show 'visible_chars_count' characters
+              position += visible_chars_count
+
+              # Mask next 'mask_chars' characters if available
+              mask_chars_count.times do
+                break if position >= chars.length
+
+                chars[position] = mask_char
+                position += 1
+              end
+            end
+
+            chars.join
+          end
+        end
+      end
+    end
+  end
+end

data/lib/gitlab/secret_detection/utils.rb

@@ -2,6 +2,7 @@
 
 require_relative 'utils/certificate'
 require_relative 'utils/memoize'
+require_relative 'utils/masker'
 
 module Gitlab
   module SecretDetection

data/lib/gitlab/secret_detection/version.rb

@@ -8,7 +8,7 @@ module Gitlab
       #  https://gitlab.com/gitlab-org/gitlab/-/issues/514015
       #
       # Ensure to maintain the same version in CHANGELOG file.
-      VERSION = "0.19.0"
+      VERSION = "0.20.0"
 
       # SD_ENV env var is used to determine which environment the
       # server is running. This var is defined in `.runway/env-<env>.yml` files.

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-secret_detection
 version: !ruby/object:Gem::Version
-  version: 0.19.0
+  version: 0.20.0
 platform: ruby
 authors:
 - group::secret detection
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-02-13 00:00:00.000000000 Z
+date: 2025-02-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: grpc
@@ -82,6 +82,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.7'
+- !ruby/object:Gem::Dependency
+  name: sentry-ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.22'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.22'
+- !ruby/object:Gem::Dependency
+  name: stackprof
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.27
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.27
 - !ruby/object:Gem::Dependency
   name: toml-rb
   requirement: !ruby/object:Gem::Requirement
@@ -124,9 +152,11 @@ files:
 - lib/gitlab/secret_detection/grpc/generated/.gitkeep
 - lib/gitlab/secret_detection/grpc/generated/secret_detection_pb.rb
 - lib/gitlab/secret_detection/grpc/generated/secret_detection_services_pb.rb
+- lib/gitlab/secret_detection/grpc/integrated_error_tracking.rb
 - lib/gitlab/secret_detection/grpc/scanner_service.rb
 - lib/gitlab/secret_detection/utils.rb
 - lib/gitlab/secret_detection/utils/certificate.rb
+- lib/gitlab/secret_detection/utils/masker.rb
 - lib/gitlab/secret_detection/utils/memoize.rb
 - lib/gitlab/secret_detection/version.rb
 - proto/secret_detection.proto