Much to my surprise the Secret Detection documentation does not suggest ways to have the build fail if the
secret_detection job finds vulnerabilities. Such “post-processing” is particularly important for all the folks not on the Ultimate tier (the majority?) as you have no security dashboard, no security tab for the pipeline and no security widget for MRs.
Are we expected to add
after_script commands (or a subsequent job) to parse the
gl-secret-detection-report.json and force-fail the job by e.g.
exit 42? Curious to find out how others addressed this.
Arggh…due to No possibiity to fail the job in after_script (#21008) · Issues · GitLab.org / GitLab · GitLab we can’t fail the job in
after_script, sigh. This is my WIP
after_script: - | apk add --no-cache jq reportFile="gl-secret-detection-report.json" cat "$reportFile" if [ "$(jq ".vulnerabilities | length" $reportFile)" -gt 0 ]; then echo "Vulnerabilities detected. Please analyze the report in $reportFile." exit 42 fi