-
-
Save SuperKa3a/db135e2077873ac5f7e4c829062ceb63 to your computer and use it in GitHub Desktop.
Revisions
-
halloei created this gist
Dec 9, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,28 @@ # This job overrides the default secret detection job from GitLab # (https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml) # and fails if vulnerabilities were found. The exit code represents the number of vulnerabilities. # # Requirements: # - Stage "test" include: - template: Security/Secret-Detection.gitlab-ci.yml secret_detection: extends: .secret-analyzer rules: - if: $SECRET_DETECTION_DISABLED when: never - if: $CI_COMMIT_BRANCH variables: GET_VULNERABILITY_COUNT: "cat gl-secret-detection-report.json | jq --raw-output '.vulnerabilities | length'" script: - if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi - apk add jq - if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit $(eval "$GET_VULNERABILITY_COUNT"); fi - git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME - git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_COMMIT_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt - export SECRET_DETECTION_COMMITS_FILE="$CI_COMMIT_SHA"_commit_list.txt - /analyzer run - rm "$CI_COMMIT_SHA"_commit_list.txt - exit $(eval "$GET_VULNERABILITY_COUNT")