我有 gitlab secret 检测,我想检查它是否有效。我有 Spring 项目和工作安排。它会拾取什么样的 secret 图案。
有谁知道我如何检查它是否确实拾取了某些东西?
我尝试将以下内容添加到代码中,它是自己编写的,但没有被标记:
aws_secret=AKIAIMNOJVGFDXXXE4OA
最佳答案
如果 secret 检测器发现 secret ,它不会使作业失败(即,它没有非 0 退出代码)。在分析仪输出中,它将显示发现了多少泄漏,但不显示泄漏是什么。完整的详细信息将写入名为 gl-secret-detection-report.json
的文件中。您可以cat
作业中的文件,以便可以在作业输出中查看结果,也可以将其作为工件上传,以便将其识别为 sast 报告。
这是我的一个管道中的 secret 检测作业,它 cat
是文件并将其作为 sast 报告工件上传。注意:出于我的目的,我无法直接使用模板,因此我手动运行分析器:
Secrets Detector:
stage: sast
image:
name: "registry.gitlab.com/gitlab-org/security-products/analyzers/secrets"
needs: []
only:
- branches
except:
- main
before_script:
- apk add jq
script:
- /analyzer run
- cat gl-secret-detection-report.json | jq '.'
artifacts:
reports:
sast: gl-secret-detection-report.json
对于我设置的测试存储库,gl-secret-detection-report.json
文件如下所示,并将 GitLab Runner 注册 token 添加到名为 TESTING
的文件中:
{
"version": "14.0.4",
"vulnerabilities": [
{
"id": "138bf52be327e2fc3d1934e45c93a83436c267e45aa84f5b55f2db87085cb205",
"category": "secret_detection",
"name": "GitLab Runner Registration Token",
"message": "GitLab Runner Registration Token detected; please remove and revoke it if this is a leak.",
"description": "Historic GitLab Runner Registration Token secret has been found in commit 0a4623336ac54174647e151186c796cf7987702a.",
"cve": "TESTING:5432b14f2bdaa01f041f6eeadc53fe68c96ef12231b168d86c71b95aca838f3c:gitlab_runner_registration_token",
"severity": "Critical",
"confidence": "Unknown",
"raw_source_code_extract": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"scanner": {
"id": "gitleaks",
"name": "Gitleaks"
},
"location": {
"file": "TESTING",
"commit": {
"author": "author",
"date": "2022-09-12T17:30:33Z",
"message": "a commit message",
"sha": "0a4623336ac54174647e151186c796cf7987702a"
},
"start_line": 1
},
"identifiers": [
{
"type": "gitleaks_rule_id",
"name": "Gitleaks rule ID gitlab_runner_registration_token",
"value": "gitlab_runner_registration_token"
}
]
}
],
"scan": {
"analyzer": {
"id": "secrets",
"name": "secrets",
"url": "https://gitlab.com/gitlab-org/security-products/analyzers/secrets",
"vendor": {
"name": "GitLab"
},
"version": "4.3.2"
},
"scanner": {
"id": "gitleaks",
"name": "Gitleaks",
"url": "https://github.com/zricethezav/gitleaks",
"vendor": {
"name": "GitLab"
},
"version": "8.10.3"
},
"type": "secret_detection",
"start_time": "2022-09-12T17:30:54",
"end_time": "2022-09-12T17:30:55",
"status": "success"
}
}
这包括找到的 secret 类型、它所在的文件和行以及添加 secret 的提交中的信息。
如果您想在发现任何 secret 时强制作业失败,可以使用 jq
来实现(注意:我在 before_script 中安装了
此作业,默认情况下在图像中不可用。):jq
Secrets Detector:
stage: sast
image:
name: "registry.gitlab.com/gitlab-org/security-products/analyzers/secrets"
needs: []
only:
- branches
except:
- main
before_script:
- apk add jq
script:
- /analyzer run
- cat gl-secret-detection-report.json | jq '.'
- if [[ $(cat gl-secret-detection-report.json | jq '.vulnerabilities | length > 0') ]]; then echo "secrets found" && exit 1; fi
artifacts:
reports:
sast: gl-secret-detection-report.json
关于Gitlab secret 检测,如何测试其工作原理,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/73665289/