From b53add4f36677afd7f348a1055a45b3a6051282e Mon Sep 17 00:00:00 2001
From: Ahmed Hemdan <ahemdan@gitlab.com>
Date: Tue, 24 Oct 2023 21:21:48 +0200
Subject: [PATCH] Make the secrets check an ultimate feature

---
 ee/app/models/gitlab_subscriptions/features.rb  |  1 +
 .../gitlab/checks/push_rules/secrets_check.rb   |  7 +++++--
 .../checks/push_rules/secrets_check_spec.rb     | 17 +++++++++++++++++
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/ee/app/models/gitlab_subscriptions/features.rb b/ee/app/models/gitlab_subscriptions/features.rb
index 7c6ec066cfb2e7..a8907ce4dd1316 100644
--- a/ee/app/models/gitlab_subscriptions/features.rb
+++ b/ee/app/models/gitlab_subscriptions/features.rb
@@ -221,6 +221,7 @@ class Features
       license_scanning
       okrs
       personal_access_token_expiration_policy
+      pre_receive_secret_detection
       product_analytics
       project_quality_summary
       project_level_analytics_dashboard
diff --git a/ee/lib/ee/gitlab/checks/push_rules/secrets_check.rb b/ee/lib/ee/gitlab/checks/push_rules/secrets_check.rb
index 1367887ef0142a..6361e45925b1fe 100644
--- a/ee/lib/ee/gitlab/checks/push_rules/secrets_check.rb
+++ b/ee/lib/ee/gitlab/checks/push_rules/secrets_check.rb
@@ -8,8 +8,11 @@ class SecretsCheck < ::Gitlab::Checks::BaseBulkChecker
           def validate!
             # Return early and not perform the check if:
             #   1. no push rule exist
-            #   2. feature flag is disabled
-            return unless push_rule && ::Feature.enabled?(:pre_receive_secret_detection_push_check, push_rule.project)
+            #   2. and license is not ultimate
+            #   3. and feature flag is disabled
+            return unless push_rule &&
+              push_rule.project.licensed_feature_available?(:pre_receive_secret_detection) &&
+              ::Feature.enabled?(:pre_receive_secret_detection_push_check, push_rule.project)
           end
         end
       end
diff --git a/ee/spec/lib/ee/gitlab/checks/push_rules/secrets_check_spec.rb b/ee/spec/lib/ee/gitlab/checks/push_rules/secrets_check_spec.rb
index fe005f3fa4501e..cab206795bbcbb 100644
--- a/ee/spec/lib/ee/gitlab/checks/push_rules/secrets_check_spec.rb
+++ b/ee/spec/lib/ee/gitlab/checks/push_rules/secrets_check_spec.rb
@@ -11,6 +11,23 @@
     it_behaves_like 'check ignored when push rule unlicensed'
     it_behaves_like 'use predefined push rules'
 
+    context 'when license is not ultimate' do
+      it 'skips the check' do
+        expect(subject.validate!).to be_nil
+      end
+    end
+
+    context 'when license is ultimate' do
+      before do
+        stub_licensed_features(pre_receive_secret_detection: true)
+      end
+
+      it 'returns without raising errors' do
+        # Since the check does nothing at the moment, it just execute without raising errors
+        expect { subject.validate! }.not_to raise_error
+      end
+    end
+
     context 'when feature flag is disabled' do
       before do
         stub_feature_flags(pre_receive_secret_detection_push_check: false)
-- 
GitLab