Fail the pipeline if Secret Detection finds vulnerabilities

GitLab CI/CD
#1

Much to my surprise the Secret Detection documentation does not suggest ways to have the build fail if the secret_detection job finds vulnerabilities. Such “post-processing” is particularly important for all the folks not on the Ultimate tier (the majority?) as you have no security dashboard, no security tab for the pipeline and no security widget for MRs.

Are we expected to add after_script commands (or a subsequent job) to parse the gl-secret-detection-report.json and force-fail the job by e.g. exit 42? Curious to find out how others addressed this.

<starts-hacking-pipeline-files>

Arggh…due to No possibiity to fail the job in after_script (#21008) · Issues · GitLab.org / GitLab · GitLab we can’t fail the job in after_script, sigh. This is my WIP

  after_script:
    - |
      apk add --no-cache jq
      reportFile="gl-secret-detection-report.json"
      cat "$reportFile"
      if [ "$(jq ".vulnerabilities | length" $reportFile)" -gt 0 ]; then
              echo "Vulnerabilities detected. Please analyze the report in $reportFile."
              exit 42
      fi
1 Like
#2

By using an entirely different stage to do the validation in a proper script: section. Pass the artifact between stages.

#3

like

  stage: validate
  variables:
    GIT_STRATEGY: none
  before_script:
    - apk add --no-cache jq
  script:
    - jq -e ".vulnerabilities | length == 0" gl-container-scanning-report.json
1 Like
#4

Yep, it’s the obvious work-around I have now in place but it’s far from ideal IMO.

Are we expected to add after_script commands (or a subsequent job) …

#5

To wrap this up here’s the pipeline definition we currently use to fail on detected vulnerabilities:

include:
  - template: Security/Secret-Detection.gitlab-ci.yml

  # defined here https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml#L21
  SECRET_DETECTION_REPORT_FILE: "gl-secret-detection-report.json"
  SECURE_LOG_LEVEL: "debug"

stages:
...
  - secret-detection
  - secret-detection-eval
...

# inherits from here https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
# as imported above
secret_detection:
  stage: secret-detection
  artifacts:
    paths:
      # in the "parent" job this file is declared as a report artifact, but
      # we also need it as a regular artifact for the subsequent job
      - $SECRET_DETECTION_REPORT_FILE
    expire_in: 1 hour

evaluation:
  stage: secret-detection-eval
  variables:
    # this job only requires the $SECRET_DETECTION_REPORT_FILE
    GIT_STRATEGY: none
  cache: {}
  before_script:
    - apk add --no-cache jq
  script:
    # check if '{ "vulnerabilities": [], ..' is empty in the report file if it exists
    - |
      if [ -f "$SECRET_DETECTION_REPORT_FILE" ]; then
        if [ "$(jq ".vulnerabilities | length" $SECRET_DETECTION_REPORT_FILE)" -gt 0 ]; then
          echo "Vulnerabilities detected. Please analyze the artifact $SECRET_DETECTION_REPORT_FILE produced by the 'secret-detection' job."
          exit 80
        fi
      else
        echo "Artifact $SECRET_DETECTION_REPORT_FILE does not exist. The 'secret-detection' job likely didn't create one. Hence, no evaluation can be performed."
      fi
1 Like