At Naturalis we have been experimenting with setting up gitleaks and the ci/cd secret_detection tools supplied by Gitlab. Locally we are using gitleaks to scan our repositories in a pre-commit hook and in the ci/cd pipeline we also scan our projects with the secret analyzer supplied in the Security/Secret-Detection.gitlab-ci.yml
But to our surprise the gitlab tooling seems to ignore the .gitleaksignore file. We actively use this file to pin down false positives or leaks that have already been identified and resolved. Because the secret scanner ignores this file, the pipelines keeps tripping on fixed issues.
I have a few questions:
- Is this on purpose? We have looked into the documentation and there seems to be no mention of this.
- Is there a way we can use this .gitleaksignore file other than introducing our own secret scanner in the pipeline?
- If it is not on purpose, can the gitleaksignore feature be build into the secret scanner?
Thanks for your trouble. I hope the community can help us in solving this.