diff options
Diffstat (limited to 'doc/user/application_security/secret_detection')
| -rw-r--r-- | doc/user/application_security/secret_detection/index.md | 46 | ||||
| -rw-r--r-- | doc/user/application_security/secret_detection/post_processing.md | 10 |
2 files changed, 38 insertions, 18 deletions
diff --git a/doc/user/application_security/secret_detection/index.md b/doc/user/application_security/secret_detection/index.md index 8a066cf1be1..d955170ece2 100644 --- a/doc/user/application_security/secret_detection/index.md +++ b/doc/user/application_security/secret_detection/index.md @@ -82,43 +82,57 @@ To enable Secret Detection, either: - Enable [Auto DevOps](../../../topics/autodevops/index.md), which includes [Auto Secret Detection](../../../topics/autodevops/stages.md#auto-secret-detection). -- [Enable Secret Detection by including the template](#enable-secret-detection-by-including-the-template). +- [Edit the `.gitlab.ci.yml` file manually](#edit-the-gitlabciyml-file-manually). Use this method if + your `.gitlab-ci.yml` file is complex. -- [Enable Secret Detection using a merge request](#enable-secret-detection-using-a-merge-request). +- [Use an automatically configured merge request](#use-an-automatically-configured-merge-request). -### Enable Secret Detection by including the template +### Edit the `.gitlab.ci.yml` file manually -You should use this method if you have an existing GitLab CI/CD configuration file. +This method requires you to manually edit the existing `.gitlab-ci.yml` file. Use this method if +your GitLab CI/CD configuration file is complex. -Add the following extract to your `.gitlab-ci.yml` file: +1. On the top bar, select **Main menu > Projects** and find your project. +1. On the left sidebar, select **CI/CD > Editor**. +1. Copy and paste the following to the bottom of the `.gitlab-ci.yml` file: -```yaml -include: - - template: Jobs/Secret-Detection.gitlab-ci.yml -``` + ```yaml + include: + - template: Jobs/Secret-Detection.gitlab-ci.yml + ``` -Pipelines now include a Secret Detection job, and the results are included in the merge request -widget. +1. Select the **Validate** tab, then select **Validate pipeline**. + The message **Simulation completed successfully** indicates the file is valid. +1. Select the **Edit** tab. +1. Optional. In the **Commit message** text box, customize the commit message. +1. In the **Branch** text box, enter the name of the default branch. +1. Select **Commit changes**. -### Enable Secret Detection using a merge request +Pipelines now include a Secret Detection job. + +### Use an automatically configured merge request > - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4496) in GitLab 13.11, deployed behind a feature flag, enabled by default. > - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/329886) in GitLab 14.1. +This method automatically prepares a merge request, with the Secret Detection template included in +the `.gitlab-ci.yml` file. You then merge the merge request to enable Secret Detection. + NOTE: This method works best with no existing `.gitlab-ci.yml` file, or with a minimal configuration file. If you have a complex GitLab configuration file it may not be parsed successfully, and an -error may occur. +error may occur. In that case, use the [manual](#edit-the-gitlabciyml-file-manually) method instead. -To enable Secret Detection using a merge request: +To enable Secret Detection automatically: 1. On the top bar, select **Main menu > Projects** and find your project. 1. On the left sidebar, select **Security & Compliance > Configuration**. 1. In the **Secret Detection** row, select **Configure with a merge request**. +1. Optional. Complete the fields. +1. Select **Create merge request**. 1. Review and merge the merge request. -Pipelines now include a Secret Detection job, and the results are included in the merge request -widget. +Pipelines now include a Secret Detection job. ## Responding to a leaked secret diff --git a/doc/user/application_security/secret_detection/post_processing.md b/doc/user/application_security/secret_detection/post_processing.md index 8dbe459d4af..9c74467bce5 100644 --- a/doc/user/application_security/secret_detection/post_processing.md +++ b/doc/user/application_security/secret_detection/post_processing.md @@ -6,7 +6,13 @@ info: To determine the technical writer assigned to the Stage/Group associated w # Secret Detection post-processing and revocation **(FREE SAAS)** -> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4639) in GitLab 13.6. +> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4639) in GitLab 13.6. +> - [Disabled by default for GitLab personal access tokens](https://gitlab.com/gitlab-org/gitlab/-/issues/371658) in GitLab 15.6 [with a flag](../../../administration/feature_flags.md) named `gitlab_pat_auto_revocation`. Available to GitLab.com only. + +FLAG: +By default, auto revocation of GitLab personal access tokens is not available. To opt-in on GitLab.com +during the [Beta period](https://about.gitlab.com/handbook/product/gitlab-the-product/#alpha-beta-ga), please +[let us know by completing this form](https://docs.google.com/forms/d/e/1FAIpQLSdRbFhvA5jvI-Rt_Qnl1PQ1znOXKK8m6lRtmM0uva4upetKvQ/viewform). GitLab supports running post-processing hooks after detecting a secret. These hooks can perform actions, like notifying the cloud service that issued the secret. @@ -16,7 +22,7 @@ The cloud provider can then confirm the credentials and take remediation actions - Reissuing a secret. - Notifying the creator of the secret. -GitLab SaaS supports post-processing for Amazon Web Services (AWS). +GitLab SaaS supports post-processing for [GitLab personal access tokens](../../profile/personal_access_tokens.md) and Amazon Web Services (AWS). Post-processing workflows vary by supported cloud providers. Post-processing is limited to a project's default branch. The epic |