VladPolskiy/gitlab-foss
1
0
Fork 0
mirror of https://gitlab.com/gitlab-org/gitlab-foss.git synced 2025-08-01 16:04:19 +00:00
Code Issues Packages Projects Releases 1 Wiki Activity
Files
d68c057b164c647df07e29ede508ce1910d5a108
gitlab-foss/gems/gitlab-secret_detection
History

README.md

Gitlab::SecretDetection

The gitlab-secret_detection gem performs keyword and regex matching on git blobs that may include secrets. The gem accepts one or more git blobs, matches them against a defined ruleset of regular expressions, and returns scan results.

Scan parameters

The method for triggering the scan ( i.e.,Gitlab::SecretDetection.secrets_scan) accepts the following parameters:

Parameter Type Required Default Description
blobs Array Yes NA Array of blobs with each blob to have id and data properties. id represents the uniqueness of the blob in the given array and data is the content of the blob to scan.
timeout Number No 60s The maximum duration allowed for the scan to run on a commit request comprising multiple blobs. If the specified timeout elapses, the scan is automatically terminated. The timeout duration is specified in seconds but can also accept floating-point values to denote smaller units. For instance, use 0.5 to represent 500ms.
blob_timeout Number No 5s The maximum duration allowed for the scan to run on an individual blob. Upon expiration of the specified timeout, the scan is interrupted for the current blob and advances to the next blob in the request. The timeout duration is specified in seconds but can also accept floating-point values to denote smaller units. For instance, use 0.5 to represent 500ms.
subprocess Boolean No true Runs the scan operation within a subprocess rather than the main process. This design aims to mitigate memory overconsumption issues that may arise from scanning multiple large blobs within a single subprocess. Check here for more details.
Scan Constraints
Name Value Description
MAX_PROCS_PER_REQUEST 5 The maximum number of processes spawned per commit request.
MIN_CHUNK_SIZE_PER_PROC_BYTES 2MiB The minimum cumulative size of blobs necessary to initiate the creation of a new subprocess, where the scan will be executed within that dedicated process.
Ruleset Source

The Ruleset file referenced for running the Pre-receive Secret Detection is located here.