|
| 1 | +pages: |
| 2 | + stage: deploy |
| 3 | + script: |
| 4 | + - mkdir .public |
| 5 | + - cp -r * .public |
| 6 | + - mv .public public |
| 7 | + artifacts: |
| 8 | + paths: |
| 9 | + - public/ |
| 10 | + only: |
| 11 | + - master |
| 12 | +variables: |
| 13 | + SECURE_ANALYZERS_PREFIX: registry.gitlab.com/security-products |
| 14 | + SECRET_DETECTION_IMAGE_SUFFIX: '' |
| 15 | + SECRETS_ANALYZER_VERSION: '3' |
| 16 | + SECRET_DETECTION_EXCLUDED_PATHS: '' |
| 17 | +.secret-analyzer: |
| 18 | + stage: test |
| 19 | + image: >- |
| 20 | + $SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION$SECRET_DETECTION_IMAGE_SUFFIX |
| 21 | + services: [] |
| 22 | + allow_failure: false |
| 23 | + variables: |
| 24 | + GIT_DEPTH: '50' |
| 25 | + artifacts: |
| 26 | + reports: |
| 27 | + secret_detection: gl-secret-detection-report.json |
| 28 | +secret_detection: |
| 29 | + extends: .secret-analyzer |
| 30 | + rules: |
| 31 | + - if: $SECRET_DETECTION_DISABLED |
| 32 | + when: never |
| 33 | + - if: $CI_MERGE_REQUEST_IID |
| 34 | + - if: $CI_OPEN_MERGE_REQUESTS |
| 35 | + when: never |
| 36 | + - if: $CI_COMMIT_BRANCH |
| 37 | + script: |
| 38 | + - >- |
| 39 | + if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. |
| 40 | + No code changes have occurred."; exit 0; fi |
| 41 | + - >- |
| 42 | + if [ "$SECRET_DETECTION_HISTORIC_SCAN" == "true" ]; then echo "Running |
| 43 | + Secret Detection Historic Scan"; /analyzer run; exit; fi |
| 44 | + - >- |
| 45 | + if [ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]; then echo "Running |
| 46 | + Secret Detection on default branch."; /analyzer run; exit; fi |
| 47 | + - > |
| 48 | + if [ "$CI_COMMIT_BEFORE_SHA" == "0000000000000000000000000000000000000000" |
| 49 | + ]; |
| 50 | +
|
| 51 | + then |
| 52 | + # first commit on a new branch |
| 53 | + echo ${CI_COMMIT_SHA} >${CI_COMMIT_SHA}_commit_list.txt |
| 54 | + git fetch --depth=2 origin $CI_COMMIT_REF_NAME |
| 55 | + else |
| 56 | + # determine commit range so that we can fetch the appropriate depth |
| 57 | + # check the exit code to determine if we need to limit the commit_list.txt to CI_COMMIT_SHA. |
| 58 | + if ! git log --pretty=format:"%H" ${CI_COMMIT_BEFORE_SHA}..${CI_COMMIT_SHA} >${CI_COMMIT_SHA}_commit_list.txt; |
| 59 | + then |
| 60 | + echo "unable to determine commit range, limiting to ${CI_COMMIT_SHA}" |
| 61 | + echo ${CI_COMMIT_SHA} >${CI_COMMIT_SHA}_commit_list.txt |
| 62 | + else |
| 63 | + # append newline to to list since `git log` does not end with a |
| 64 | + # newline, this is to keep the log messages consistent |
| 65 | + echo >> ${CI_COMMIT_SHA}_commit_list.txt |
| 66 | + fi |
| 67 | +
|
| 68 | + # we need to extend the git fetch depth to the number of commits + 1 for the following reasons: |
| 69 | + # to include the parent commit of the base commit in this MR/Push event. This is needed because |
| 70 | + # `git diff -p` needs something to compare changes in that commit against |
| 71 | + git fetch --depth=$(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 1)) origin $CI_COMMIT_REF_NAME |
| 72 | + fi |
| 73 | +
|
| 74 | + echo "scanning $(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt))) commits for |
| 75 | + a push event" |
| 76 | +
|
| 77 | + export SECRET_DETECTION_COMMITS_FILE=${CI_COMMIT_SHA}_commit_list.txt |
| 78 | + - /analyzer run |
| 79 | + - rm "$CI_COMMIT_SHA"_commit_list.txt |
0 commit comments