# This job overrides the default secret detection job from GitLab
# (https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml)
# and fails if vulnerabilities were found. The exit code represents the number of vulnerabilities.
#
# Requirements:
# - Stage "test"

include:
  - template: Security/Secret-Detection.gitlab-ci.yml

secret_detection:
  extends: .secret-analyzer
  rules:
    - if: $SECRET_DETECTION_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH
  variables:
    GET_VULNERABILITY_COUNT: "cat gl-secret-detection-report.json | jq --raw-output '.vulnerabilities | length'"
  script:
    - if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi
    - apk add jq
    - if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit $(eval "$GET_VULNERABILITY_COUNT"); fi
    - git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME
    - git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_COMMIT_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt
    - export SECRET_DETECTION_COMMITS_FILE="$CI_COMMIT_SHA"_commit_list.txt
    - /analyzer run
    - rm "$CI_COMMIT_SHA"_commit_list.txt
    - exit $(eval "$GET_VULNERABILITY_COUNT")