Scanning For Secrets In A GitLab Pipeline
May 10, 2024
Reference: https://stackoverflow.com/questions/73665289/gitlab-secret-detection-how-to-test-it-works
Step 1: Create .gitlab-ci.yml with following pipeline code.
stages:
- secret_scan
Secrets Detector:
stage: secret_scan
image:
name: "registry.gitlab.com/gitlab-org/security-products/analyzers/secrets"
needs: []
only:
- branches
before_script:
- apk add jq
script:
- /analyzer run
- cat gl-secret-detection-report.json | jq '.'
- if [[ $(jq '.vulnerabilities | length > 0' gl-secret-detection-report.json) == "true" ]]; then echo "secrets found" && exit 1; fi
Step 2: Commit a file with some dummy secret value. This will trigger the pipeline and secret will be detected which will cause pipline failure.