gitlab-secret_detection 0.29.1 → 0.30.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/gitlab/secret_detection/core/scanner.rb +38 -16
- data/lib/gitlab/secret_detection/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 65f45d17834681b9a97ff2bb4a896c5e7c227c7bc0f8f65fcf5ba0415a8d602b
|
|
4
|
+
data.tar.gz: a74588e9f8c97bac5c85cc443d51aa22e2f8000242a7bee00f2bd7896e2adb99
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f7637fe881e012b5a076cc1df31e2141a1f8d30cb6d255c5ef753bc7271a37c3688d6e7efc9e60d6405f3603654842570a40fed5eaed6c5a7221248c9c183291
|
|
7
|
+
data.tar.gz: 82dd43f806528787b3b97d9c4aedccf61f4b2ad2621a5f6cee29c913786490e8c5120fe0cb80f63203281e42b1b72895aa1852be66b5a112f64522fce93d0efd
|
|
@@ -24,7 +24,9 @@ module Gitlab
|
|
|
24
24
|
# run the scan within a new subprocess.
|
|
25
25
|
MIN_CHUNK_SIZE_PER_PROC_BYTES = 2_097_152 # 2MiB
|
|
26
26
|
# Whether to run scan in subprocesses or not. Default is false.
|
|
27
|
-
RUN_IN_SUBPROCESS = false
|
|
27
|
+
RUN_IN_SUBPROCESS = ENV.fetch('GITLAB_SD_RUN_IN_SUBPROCESS', false)
|
|
28
|
+
# Default limit for max findings to be returned in the scan
|
|
29
|
+
DEFAULT_MAX_FINDINGS_LIMIT = 999
|
|
28
30
|
|
|
29
31
|
# Initializes the instance with logger along with following operations:
|
|
30
32
|
# 1. Extract keywords from the parsed ruleset to use it for matching keywords before regex operation.
|
|
@@ -61,6 +63,8 @@ module Gitlab
|
|
|
61
63
|
# +tags+:: Array of tag values to filter from the default ruleset when determining the rules used for the scan.
|
|
62
64
|
# For example: Add `gitlab_blocking` to include only rules for Push Protection. Defaults to
|
|
63
65
|
# [`gitlab_blocking`] (+DEFAULT_PATTERN_MATCHER_TAGS+).
|
|
66
|
+
# +max_findings_limit+:: Integer to limit the number of findings to be returned in the scan. Defaults
|
|
67
|
+
# to 999 (+DEFAULT_MAX_FINDINGS_LIMIT+).
|
|
64
68
|
#
|
|
65
69
|
# NOTE:
|
|
66
70
|
# Running the scan in fork mode primarily focuses on reducing the memory consumption of the scan by
|
|
@@ -81,7 +85,8 @@ module Gitlab
|
|
|
81
85
|
payload_timeout: DEFAULT_PAYLOAD_TIMEOUT_SECS,
|
|
82
86
|
exclusions: {},
|
|
83
87
|
tags: DEFAULT_PATTERN_MATCHER_TAGS,
|
|
84
|
-
subprocess: RUN_IN_SUBPROCESS
|
|
88
|
+
subprocess: RUN_IN_SUBPROCESS,
|
|
89
|
+
max_findings_limit: DEFAULT_MAX_FINDINGS_LIMIT
|
|
85
90
|
)
|
|
86
91
|
return Core::Response.new(status: Core::Status::INPUT_ERROR) unless validate_scan_input(payloads)
|
|
87
92
|
|
|
@@ -105,7 +110,8 @@ module Gitlab
|
|
|
105
110
|
payload_timeout:,
|
|
106
111
|
pattern_matcher:,
|
|
107
112
|
exclusions:,
|
|
108
|
-
rules: active_rules
|
|
113
|
+
rules: active_rules,
|
|
114
|
+
max_findings_limit:
|
|
109
115
|
}.freeze
|
|
110
116
|
|
|
111
117
|
logger.info(
|
|
@@ -116,6 +122,7 @@ module Gitlab
|
|
|
116
122
|
scannable_payloads_post_keyword_filter: matched_payloads.length,
|
|
117
123
|
tags:,
|
|
118
124
|
run_in_subprocess: subprocess,
|
|
125
|
+
max_findings_limit:,
|
|
119
126
|
given_exclusions: format_exclusions_hash(exclusions)
|
|
120
127
|
)
|
|
121
128
|
|
|
@@ -282,9 +289,9 @@ module Gitlab
|
|
|
282
289
|
payloads:,
|
|
283
290
|
payload_timeout:,
|
|
284
291
|
pattern_matcher:,
|
|
292
|
+
max_findings_limit:,
|
|
285
293
|
exclusions: {},
|
|
286
|
-
rules: []
|
|
287
|
-
)
|
|
294
|
+
rules: [])
|
|
288
295
|
all_applied_exclusions = Set.new
|
|
289
296
|
|
|
290
297
|
logger.info(
|
|
@@ -292,7 +299,7 @@ module Gitlab
|
|
|
292
299
|
payload_timeout:
|
|
293
300
|
)
|
|
294
301
|
|
|
295
|
-
|
|
302
|
+
capped_findings = payloads.lazy.flat_map do |payload|
|
|
296
303
|
Timeout.timeout(payload_timeout) do
|
|
297
304
|
findings, applied_exclusions = find_secrets_in_payload(
|
|
298
305
|
payload:,
|
|
@@ -308,14 +315,16 @@ module Gitlab
|
|
|
308
315
|
|
|
309
316
|
Core::Finding.new(payload.id,
|
|
310
317
|
Core::Status::PAYLOAD_TIMEOUT)
|
|
311
|
-
end
|
|
312
|
-
|
|
318
|
+
end.take(max_findings_limit).to_a
|
|
319
|
+
|
|
320
|
+
[capped_findings, all_applied_exclusions.to_a]
|
|
313
321
|
end
|
|
314
322
|
|
|
315
323
|
def run_scan_within_subprocess(
|
|
316
324
|
payloads:,
|
|
317
325
|
payload_timeout:,
|
|
318
326
|
pattern_matcher:,
|
|
327
|
+
max_findings_limit:,
|
|
319
328
|
exclusions: {},
|
|
320
329
|
rules: []
|
|
321
330
|
)
|
|
@@ -332,12 +341,16 @@ module Gitlab
|
|
|
332
341
|
payload_timeout:
|
|
333
342
|
)
|
|
334
343
|
|
|
335
|
-
found_secrets =
|
|
336
|
-
|
|
337
|
-
|
|
338
|
-
|
|
339
|
-
|
|
340
|
-
|
|
344
|
+
found_secrets = []
|
|
345
|
+
|
|
346
|
+
grouped_payloads.each do |grouped_payload|
|
|
347
|
+
break if found_secrets.length >= max_findings_limit
|
|
348
|
+
|
|
349
|
+
batch_results = Parallel.map(
|
|
350
|
+
grouped_payload,
|
|
351
|
+
in_processes: MAX_PROCS_PER_REQUEST,
|
|
352
|
+
isolation: true # do not reuse sub-processes
|
|
353
|
+
) do |payload|
|
|
341
354
|
Timeout.timeout(payload_timeout) do
|
|
342
355
|
findings, applied_exclusions = find_secrets_in_payload(
|
|
343
356
|
payload:,
|
|
@@ -345,14 +358,23 @@ module Gitlab
|
|
|
345
358
|
exclusions:,
|
|
346
359
|
rules:
|
|
347
360
|
)
|
|
348
|
-
|
|
349
|
-
findings
|
|
361
|
+
[findings, applied_exclusions]
|
|
350
362
|
end
|
|
351
363
|
rescue Timeout::Error => e
|
|
352
364
|
logger.warn "Secret Detection scan timed out on the payload(id:#{payload.id}): #{e}"
|
|
353
365
|
|
|
354
366
|
Core::Finding.new(payload.id, Core::Status::PAYLOAD_TIMEOUT)
|
|
355
367
|
end
|
|
368
|
+
|
|
369
|
+
# Process results and collect exclusions
|
|
370
|
+
batch_results.each do |findings, applied_exclusions|
|
|
371
|
+
all_applied_exclusions.merge(applied_exclusions)
|
|
372
|
+
|
|
373
|
+
remaining_slots = max_findings_limit - found_secrets.length
|
|
374
|
+
found_secrets.concat(findings.take(remaining_slots))
|
|
375
|
+
|
|
376
|
+
break if found_secrets.length >= max_findings_limit
|
|
377
|
+
end
|
|
356
378
|
end
|
|
357
379
|
|
|
358
380
|
[found_secrets, all_applied_exclusions.to_a]
|
|
@@ -5,7 +5,7 @@ module Gitlab
|
|
|
5
5
|
class Gem
|
|
6
6
|
# Ensure to maintain the same version in CHANGELOG file.
|
|
7
7
|
# More details available under 'Release Process' section in the README.md file.
|
|
8
|
-
VERSION = "0.
|
|
8
|
+
VERSION = "0.30.0"
|
|
9
9
|
|
|
10
10
|
# SD_ENV env var is used to determine which environment the
|
|
11
11
|
# server is running. This var is defined in `.runway/env-<env>.yml` files.
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: gitlab-secret_detection
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.30.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- group::secret detection
|
|
@@ -10,7 +10,7 @@ authors:
|
|
|
10
10
|
autorequire:
|
|
11
11
|
bindir: bin
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date: 2025-06-
|
|
13
|
+
date: 2025-06-11 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: grpc
|