Gitlab secret 检测，如何测试其工作原理

Question

我有 gitlab secret 检测，我想检查它是否有效。我有 Spring 项目和工作安排。它会拾取什么样的 secret 图案。

有谁知道我如何检查它是否确实拾取了某些东西？

我尝试将以下内容添加到代码中，它是自己编写的，但没有被标记:

aws_secret=AKIAIMNOJVGFDXXXE4OA

Answer 1

如果 secret 检测器发现 secret ，它不会使作业失败(即，它没有非 0 退出代码)。在分析仪输出中，它将显示发现了多少泄漏，但不显示泄漏是什么。完整的详细信息将写入名为 gl-secret-detection-report.json 的文件中。您可以cat作业中的文件，以便可以在作业输出中查看结果，也可以将其作为工件上传，以便将其识别为 sast 报告。

这是我的一个管道中的 secret 检测作业，它 cat 是文件并将其作为 sast 报告工件上传。注意:出于我的目的，我无法直接使用模板，因此我手动运行分析器:

Secrets Detector:
  stage: sast
  image:
    name: "registry.gitlab.com/gitlab-org/security-products/analyzers/secrets"
  needs: []
  only:
    - branches
  except:
    - main
  before_script:
    - apk add jq
  script:
    - /analyzer run
    - cat gl-secret-detection-report.json | jq '.'
  artifacts:
    reports:
      sast: gl-secret-detection-report.json

对于我设置的测试存储库，gl-secret-detection-report.json 文件如下所示，并将 GitLab Runner 注册 token 添加到名为 TESTING 的文件中:

{
  "version": "14.0.4",
  "vulnerabilities": [
    {
      "id": "138bf52be327e2fc3d1934e45c93a83436c267e45aa84f5b55f2db87085cb205",
      "category": "secret_detection",
      "name": "GitLab Runner Registration Token",
      "message": "GitLab Runner Registration Token detected; please remove and revoke it if this is a leak.",
      "description": "Historic GitLab Runner Registration Token secret has been found in commit 0a4623336ac54174647e151186c796cf7987702a.",
      "cve": "TESTING:5432b14f2bdaa01f041f6eeadc53fe68c96ef12231b168d86c71b95aca838f3c:gitlab_runner_registration_token",
      "severity": "Critical",
      "confidence": "Unknown",
      "raw_source_code_extract": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
      "scanner": {
        "id": "gitleaks",
        "name": "Gitleaks"
      },
      "location": {
        "file": "TESTING",
        "commit": {
          "author": "author",
          "date": "2022-09-12T17:30:33Z",
          "message": "a commit message",
          "sha": "0a4623336ac54174647e151186c796cf7987702a"
        },
        "start_line": 1
      },
      "identifiers": [
        {
          "type": "gitleaks_rule_id",
          "name": "Gitleaks rule ID gitlab_runner_registration_token",
          "value": "gitlab_runner_registration_token"
        }
      ]
    }
  ],
  "scan": {
    "analyzer": {
      "id": "secrets",
      "name": "secrets",
      "url": "https://gitlab.com/gitlab-org/security-products/analyzers/secrets",
      "vendor": {
        "name": "GitLab"
      },
      "version": "4.3.2"
    },
    "scanner": {
      "id": "gitleaks",
      "name": "Gitleaks",
      "url": "https://github.com/zricethezav/gitleaks",
      "vendor": {
        "name": "GitLab"
      },
      "version": "8.10.3"
    },
    "type": "secret_detection",
    "start_time": "2022-09-12T17:30:54",
    "end_time": "2022-09-12T17:30:55",
    "status": "success"
  }
}

这包括找到的 secret 类型、它所在的文件和行以及添加 secret 的提交中的信息。

如果您想在发现任何 secret 时强制作业失败，可以使用 jq 来实现(注意:我在 before_script 中安装了 jq 此作业，默认情况下在图像中不可用。):

Secrets Detector:
  stage: sast
  image:
    name: "registry.gitlab.com/gitlab-org/security-products/analyzers/secrets"
  needs: []
  only:
    - branches
  except:
    - main
  before_script:
    - apk add jq
  script:
    - /analyzer run
    - cat gl-secret-detection-report.json | jq '.'
    - if [[ $(cat gl-secret-detection-report.json | jq '.vulnerabilities | length > 0') ]]; then echo "secrets found" && exit 1; fi
  artifacts:
    reports:
      sast: gl-secret-detection-report.json