Secret Detection aims to prevent that sensitive information, like passwords, authentication tokens, and private keys are unintentionally leaked as part of the repository content.
It checks files and configuration to detect well-known variable names and files, and reports if there is something that is potentially risky to share.
It doesn't target a specific language, but the ruleset can be applied to any project.
Our goal is to provide Secret Detection as part of the standard development process. This means that Secret Detection is executed every time a new commit is pushed to a branch. We also want to include Secret Detection as part of Auto DevOps.
Secret Detection results can be consumed in the merge request, where only new vulnerabilities, introduced by the new code, are shown.
There is also a high request to block a remote push if it contains secrets. This is not a simple problem to address, because it implies solving the following problems:
We want to leverage existing open source tools to provide a first MVC for Secret Detection.
The next MVC is to perform secret detection on full history of the repository: https://gitlab.com/gitlab-org/gitlab-ee/issues/9508
GitHub offers Token Scanning that aims to detect secrets in public repositories. The approach is quite different, as the scan is performed asynchronously and users are not notified, but service providers are.
Secret detection is not actually part of any Analyst report. Anyway, since we consider it related to SAST, we can raise awareness in that specific context.
Currently we don't have any request from our internal customers.
