SAST - not detecting secrets and passwords correctly

wilson11 · May 14, 2021, 7:56pm

Hello, I’m having some problems setting up the SAST for my gitlab repos. I created a .gitlab-ci.yml file with the templates to include: template: Security/SAST.gitlab-ci.yml and then i also added the SAST.gitlab-ci.yml file copied from the gitlab repo but when I run the pipelines on test files where I clearly have a password or api key in the file, the SAST still passes when its suppose to fail. Am I missing something here?


include:
  - template: Security/Secret-Detection.gitlab-ci.yml
  - template: Security/SAST.gitlab-ci.yml

secret_detection:
  variables:
    GIT_DEPTH: 100
    SECRET_DETECTION_HISTORIC_SCAN: "true"

katrinleinweber · August 19, 2022, 1:18pm

Hi @wilson11 Does the job log not even contain a line like this:

[INFO] [secrets] … WRN leaks found: 1

While working on an internal ticket, I created this related demo, so I’m rather sure that SECRET_DETECTION_HISTORIC_SCAN works. The problem seems to rather be that setting it to false doesn’t work