- Use cases
- Full History Secret Scan
A recurring problem when developing applications is that developers may unintentionally commit secrets and credentials to their remote repositories. If other people have access to the source, or if the project is public, the sensitive information is then exposed and can be leveraged by malicious users to gain access to resources like deployment environments.
GitLab 11.9 includes a new check called Secret Detection. It scans the content of the repository to find API keys and other information that should not be there.
GitLab displays identified secrets visibly in a few places:
- Security Dashboard
- Pipelines’ Security tab
- Report in the merge request widget
- Detecting unintentional commit of secrets like keys, passwords, and API tokens.
- Performing a single or recurring scan of the full history of your repository for secrets.
19.03.0. See troubleshooting information for details.
To make Secret Detection available to as many customers as possible, we have enabled it for all GitLab tiers. However not all features are available on every tier. See the breakdown below for more details.
Different features are available in different GitLab tiers, as shown in the following table:
|Capability||In Core||In Ultimate|
|Configure Secret Detection Scanners|
|Customize Secret Detection Settings|
|View JSON Report|
|Presentation of JSON Report in Merge Request|
|Interaction with Vulnerabilities|
|Access to Security Dashboard|
Secret Detection is performed by a specific analyzer
secret-detection job. It runs regardless of the programming
language of your app.
$) as this likely indicates the password being used is an environment variable. For example,
https://username:$email@example.com/path/to/repowon’t be detected, whereas
https://username:firstname.lastname@example.org/path/to/repowould be detected.
To enable Secret Detection for GitLab 13.1 and later, you must include the
Secret-Detection.gitlab-ci.yml template that’s provided as a part of your GitLab installation. For GitLab versions earlier than 11.9, you can copy and use the job as defined in that template.
Add the following to your
include: - template: Secret-Detection.gitlab-ci.yml
The included template creates Secret Detection jobs in your CI/CD pipeline and scans your project’s source code for secrets.
The results are saved as a Secret Detection report artifact that you can later download and analyze. Due to implementation limitations, we always take the latest Secret Detection artifact available.
Prior to GitLab 13.1, Secret Detection was part of SAST configuration. If you already have SAST enabled for your app configured before GitLab 13.1, you don’t need to manually configure it.
Secret-Detection.gitlab-ci.ymlto prevent future issues. We have made a video to guide you through the process of transitioning to this new template.
When using the SAST template, Secret Detection is performed by a specific analyzer
sast job. It runs regardless of the programming
language of your app, and you don’t need to change your
CI/CD configuration file to enable it. Results are available in the SAST report.
To override a job definition, (for example, change properties like
declare a job with the same name as the SAST job to override. Place this new job after the template
inclusion and specify any additional keys under it.
In the following example, we include the Secret Detection template and at the same time we
secret_detection job with the
SECRET_DETECTION_HISTORIC_SCAN variable to
include: - template: Secret-Detection.gitlab-ci.yml secret_detection: variables: SECRET_DETECTION_HISTORIC_SCAN: "true"
Because the template is evaluated before the pipeline configuration, the last mention of the variable takes precedence.
Secret Detection can be customized by defining available variables:
|Environment variable||Default value||Description|
|-||The commit a Gitleaks scan starts at.|
|-||The commit a Gitleaks scan ends at.|
|false||Flag to enable a historic Gitleaks scan.|
To control the verbosity of logs set the
SECURE_LOG_LEVEL environment variable. Messages of this logging level or higher are output. Introduced in GitLab 13.1.
From highest to lowest severity, the logging levels are:
GitLab 12.11 introduced support for scanning the full history of a repository. This new functionality is particularly useful when you are enabling Secret Detection in a repository for the first time and you want to perform a full secret scan. Running a secret scan on the full history can take a long time, especially for larger repositories with lengthy Git histories. We recommend not setting this variable as part of your normal job definition.
A new configuration variable (
can be set to change the behavior of the GitLab Secret Detection scan to run on the entire Git history of a repository.
We have created a short video walkthrough showcasing how you can perform a full history secret scan.