For context I am attempting to make use of GitLab’s Security/Secret-Detection.gitlab-ci.yml template. The goal is to use GitLab secret detection to detect secrets then use a Validate Secret Detection job to query the resulting report artifact to see if there are any findings in the
vulnerabilities section of the JSON.
Here is what the .gitlab-ci.yml includes:
include: - template: Security/Secret-Detection.gitlab-ci.yml stages: - secret_detection secret_detection: stage: secret_detection Validate Secret Detection: stage: secret_detection needs: - "secret_detection" script: - | if [ -f "$SECRET_DETECTION_REPORT_FILE" ]; then if [ "$(jq ".vulnerabilities | length" $SECRET_DETECTION_REPORT_FILE)" -gt 0 ]; then echo "Vulnerabilities detected. Please analyze the artifact $SECRET_DETECTION_REPORT_FILE produced by the 'secret-detection' job." exit 80 fi else echo "Artifact $SECRET_DETECTION_REPORT_FILE does not exist. The 'secret-detection' job likely didn't create one. Hence, no evaluation can be performed." fi
I am having trouble understanding why the validation job is passing when GitLab’s Secret Detection job has discovered a finding and added it to the report.
Below are some screenshots showing that things are working just not failing in the pipeline when expected.
Pipeline jobs running in the secret_detection stage:
Output from the Secret Detection runner:
Resulting report artifact:
Resulting report (after downloading it to my local machine):