diff options
| author | Marcel Amirault <mamirault@gitlab.com> | 2022-08-02 06:06:07 +0300 |
|---|---|---|
| committer | Evan Read <eread@gitlab.com> | 2022-08-02 06:06:07 +0300 |
| commit | 796a7988b7508f1c5ccfe28908ee1404352cb217 (patch) | |
| tree | c475a607dc7da33b6c581493c07d82ec4246a493 /.gitlab | |
| parent | b500b236bf432ca91082edef760ebf553aa754d3 (diff) | |
Add secret detection to pipeline
Diffstat (limited to '.gitlab')
| -rw-r--r-- | .gitlab/ci/security.gitlab-ci.yml | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/.gitlab/ci/security.gitlab-ci.yml b/.gitlab/ci/security.gitlab-ci.yml index 10da5487..52152504 100644 --- a/.gitlab/ci/security.gitlab-ci.yml +++ b/.gitlab/ci/security.gitlab-ci.yml @@ -7,7 +7,8 @@ # # - Security/Dependency-Scanning.gitlab-ci.yml # - Security/SAST.gitlab-ci.yml -# +# - Security/Secret-Detection.gitlab-ci.yml +# # Defaults are overridden below. # @@ -44,3 +45,20 @@ semgrep-sast: extends: - .sast-analyzer - .security-scanning-overrides + +# +# Secret detection job overrides +# As per https://docs.gitlab.com/ee/user/application_security/#use-security-scanning-tools-with-merge-request-pipelines, +# overrides the rules to make it work in MR pipelines too. +# +secret_detection: + extends: + - .secret-analyzer + - .security-scanning-overrides + rules: + - if: $SECRET_DETECTION_DISABLED + when: never + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + - if: $CI_PIPELINE_SOURCE == "merge_request_event" + script: + - /analyzer run |