0

I am trying to implement a gitlab pipeline used to detect secrets on commits before they are pushed, and prevent the commits from going live. The detection part works just fine. However the pipeline always marks the job as successful, even though the fake secrets i've added are detected, and let the commits got public.

I have tried to scan the detection report : if it's not empty, a message warning the user is displayed, and an exit code is returned. For some reason though, said exit code gets ignored.

Here is the yml config i'm using :

include:
  - template: Jobs/Secret-Detection.gitlab-ci.yml

secret_detection:
  variables:
    SECRET_DETECTION_HISTORIC_SCAN: "true" 
    SECRET_DETECTION_IMAGE_SUFFIX: "-fips"


after_script:
  - |
     reportFile="gl-secret-detection-report.json"
     $a: wc -l gl-secret-detection-report.json
     $b: 0
     if [ $a -gt $b ]; then
       echo "VULN FOUND. SEE $reportFile FOR MORE DETAILS." && exit 1
     fi

I'm quite at a loss here, any help is appreciated. Thanks !

consumedbymadness
  • 1
  • 1

1 Answers1

0

You can get the status as 'success' or 'failed' in the json report only if the job fails. Job doesn't fail in case of it finds any Vulnerbilities.

Here is the information from gitlab documentation:

Jobs pass if they are able to complete a scan. A pass result does not indicate if they did, or did not, identify findings. The only exception is coverage fuzzing, which fails if it identifies findings.

Jobs fail if they are unable to complete a scan. You can view the pipeline logs for more information.

All jobs are permitted to fail by default. This means that if they fail, it does not fail the pipeline.

If you want to prevent vulnerabilities from being merged, you should do this by adding Security Approvals in Merge Requests which prevents unknown, high or critical findings from being merged without an approval from a specific group of people that you choose.

We do not recommend changing the job allow_failure setting as that fails the entire pipeline.

vishal shah
  • 177
  • 5