It is normal for the Secret Detection scanner to only scan the last commit? (1 commit)

• Expected behavior?

  • When using the Secret Detection job from GitLab’s templates in a pipeline created from a Merge Request, the scanner should scan all commits on that Merge Request

• Observed behavior

  • When using the Secret Detection job from GitLab’s templates in a pipeline created from a Merge Request, the scanner is only scanning the last commit (so secrets previously committed in the same merge request are going unscanned and undetected)

Hi @cf-amber-beasley

I was trying to figure out the logic, but I need more coffee
Anyway, here is the code for the Secret Detection lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml · master · GitLab.org / GitLab · GitLab. The job is limited to Branches, so maybe the logic isn’t working for MR pipelines.

If you are not using the GitLab template, you need to generate the file with list of commits to scan yourself.

The logic shouldn’t be limited to branches. The secret detection is documented to be used in Merge Requests Secret Detection | GitLab

This is definitely smelling more like a bug. I am using the GitLab provided template, but its only scanning the last commit.

(I’ll probably open a ticket and see I can get it resolved – I was using the forum for a sanity check)