Are we expected to add after_script commands (or a subsequent job) to parse the gl-secret-detection-report.json and force-fail the job by e.g. exit 42? Curious to find out how others addressed this.
To wrap this up here’s the pipeline definition we currently use to fail on detected vulnerabilities:
include:
- template: Security/Secret-Detection.gitlab-ci.yml
# defined here https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml#L21
SECRET_DETECTION_REPORT_FILE: "gl-secret-detection-report.json"
SECURE_LOG_LEVEL: "debug"
stages:
...
- secret-detection
- secret-detection-eval
...
# inherits from here https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
# as imported above
secret_detection:
stage: secret-detection
artifacts:
paths:
# in the "parent" job this file is declared as a report artifact, but
# we also need it as a regular artifact for the subsequent job
- $SECRET_DETECTION_REPORT_FILE
expire_in: 1 hour
evaluation:
stage: secret-detection-eval
variables:
# this job only requires the $SECRET_DETECTION_REPORT_FILE
GIT_STRATEGY: none
cache: {}
before_script:
- apk add --no-cache jq
script:
# check if '{ "vulnerabilities": [], ..' is empty in the report file if it exists
- |
if [ -f "$SECRET_DETECTION_REPORT_FILE" ]; then
if [ "$(jq ".vulnerabilities | length" $SECRET_DETECTION_REPORT_FILE)" -gt 0 ]; then
echo "Vulnerabilities detected. Please analyze the artifact $SECRET_DETECTION_REPORT_FILE produced by the 'secret-detection' job."
exit 80
fi
else
echo "Artifact $SECRET_DETECTION_REPORT_FILE does not exist. The 'secret-detection' job likely didn't create one. Hence, no evaluation can be performed."
fi
In trying this solution, I continue to get this error in my secret_detection job:
Uploading artifacts for successful job
Uploading artifacts...
WARNING: : no matching files
ERROR: No files to upload
Uploading artifacts...
gl-secret-detection-report.json: found 1 matching files and directories `
I should have waited just a bit to post as I found a fix for this. For me at least the variables here were not being inherited in the jobs:
- template: Security/Secret-Detection.gitlab-ci.yml
# defined here https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml#L21
SECRET_DETECTION_REPORT_FILE: "gl-secret-detection-report.json"
SECURE_LOG_LEVEL: "debug"
I verified in the ci editor/merged yaml interface that this was the case. I simply added the variable SECRET_DETECTION_REPORT_FILE: "gl-secret-detection-report.json" to both jobs and it is uploading correctly now. We are on SaaS GitLab, not self-hosted so this may be an operational difference in versions.
So, thanks to marcelstoer for the process and I hope this helps ctote1.