diff --git a/.gitlab/ci/gitlab-gems.gitlab-ci.yml b/.gitlab/ci/gitlab-gems.gitlab-ci.yml index cc8a058d354991559046e6b06141deca137ee329..99c9242ee665c20541129e6ccd61ad4dd0f6f983 100644 --- a/.gitlab/ci/gitlab-gems.gitlab-ci.yml +++ b/.gitlab/ci/gitlab-gems.gitlab-ci.yml @@ -32,3 +32,6 @@ include: - local: .gitlab/ci/templates/gem.gitlab-ci.yml inputs: gem_name: "gitlab-backup-cli" + - local: .gitlab/ci/templates/gem.gitlab-ci.yml + inputs: + gem_name: "gitlab-secret_detection" diff --git a/Gemfile b/Gemfile index c1e9e34c3a5548f2bfdbaba8e341a121bc3799a4..21c8f74560fb01074a9e9501010f488f3b116496 100644 --- a/Gemfile +++ b/Gemfile @@ -43,6 +43,8 @@ group :monorepo do gem 'gitlab-backup-cli', path: 'gems/gitlab-backup-cli', feature_category: :backup_restore end +gem 'gitlab-secret_detection', path: 'gems/gitlab-secret_detection', feature_category: :secret_detection + # Responders respond_to and respond_with gem 'responders', '~> 3.0' # rubocop:todo Gemfile/MissingFeatureCategory diff --git a/Gemfile.lock b/Gemfile.lock index e2ebb91381337f17f5a4610b8447bcf859a3fd05..0eff85d76ff4ad34cbea11a58e6425109b655c7b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -60,6 +60,11 @@ PATH diffy pg_query +PATH + remote: gems/gitlab-secret_detection + specs: + gitlab-secret_detection (0.1.0) + PATH remote: gems/gitlab-utils specs: @@ -1871,6 +1876,7 @@ DEPENDENCIES gitlab-rspec! gitlab-safe_request_store! gitlab-schema-validation! + gitlab-secret_detection! gitlab-sidekiq-fetcher! gitlab-styles (~> 11.0.0) gitlab-utils! diff --git a/gems/gitlab-secret_detection/.gitignore b/gems/gitlab-secret_detection/.gitignore new file mode 100644 index 0000000000000000000000000000000000000000..99deaff73aabc05c6ecc1af8307cfa524717d645 --- /dev/null +++ b/gems/gitlab-secret_detection/.gitignore @@ -0,0 +1,12 @@ + +/.bundle/ +/.yardoc +/_yardoc/ +/coverage/ +/doc/ +/pkg/ +/spec/reports/ +/tmp/ + +# rspec failure tracking +.rspec_status diff --git a/gems/gitlab-secret_detection/.gitlab-ci.yml b/gems/gitlab-secret_detection/.gitlab-ci.yml new file mode 100644 index 0000000000000000000000000000000000000000..53ae91fe4ca4b81ec290bd13f34b9d219c4924b1 --- /dev/null +++ b/gems/gitlab-secret_detection/.gitlab-ci.yml @@ -0,0 +1,4 @@ +include: + - local: gems/gem.gitlab-ci.yml + inputs: + gem_name: "gitlab-secret_detection" diff --git a/gems/gitlab-secret_detection/.rspec b/gems/gitlab-secret_detection/.rspec new file mode 100644 index 0000000000000000000000000000000000000000..34c5164d9b56c7d528f061c97f2d2fe02c834bdd --- /dev/null +++ b/gems/gitlab-secret_detection/.rspec @@ -0,0 +1,3 @@ +--format documentation +--color +--require spec_helper diff --git a/gems/gitlab-secret_detection/.rubocop.yml b/gems/gitlab-secret_detection/.rubocop.yml new file mode 100644 index 0000000000000000000000000000000000000000..1dc800520ca55725a86cee7cfc35b5bc69b6a8de --- /dev/null +++ b/gems/gitlab-secret_detection/.rubocop.yml @@ -0,0 +1,8 @@ +inherit_from: + - ../config/rubocop.yml + +AllCops: + NewCops: enable + +RSpec/MultipleMemoizedHelpers: + Max: 25 diff --git a/gems/gitlab-secret_detection/CHANGELOG.md b/gems/gitlab-secret_detection/CHANGELOG.md new file mode 100644 index 0000000000000000000000000000000000000000..35648bae90c82035b111e667a03eb293f292b5f6 --- /dev/null +++ b/gems/gitlab-secret_detection/CHANGELOG.md @@ -0,0 +1,5 @@ +## [Unreleased] + +## [0.1.0] + +- Initial release diff --git a/gems/gitlab-secret_detection/Gemfile b/gems/gitlab-secret_detection/Gemfile new file mode 100644 index 0000000000000000000000000000000000000000..d0fb4d4d12be4b4ffbcbceeac997140770c68b8a --- /dev/null +++ b/gems/gitlab-secret_detection/Gemfile @@ -0,0 +1,6 @@ +# frozen_string_literal: true + +source "https://rubygems.org" + +# Specify your gem's dependencies in gitlab-secret_detection.gemspec +gemspec diff --git a/gems/gitlab-secret_detection/Gemfile.lock b/gems/gitlab-secret_detection/Gemfile.lock new file mode 100644 index 0000000000000000000000000000000000000000..2f615b24d86a91df1b591b74c37be792aa434ab4 --- /dev/null +++ b/gems/gitlab-secret_detection/Gemfile.lock @@ -0,0 +1,139 @@ +PATH + remote: . + specs: + gitlab-secret_detection (0.1.0) + +GEM + remote: https://rubygems.org/ + specs: + activesupport (7.1.2) + base64 + bigdecimal + concurrent-ruby (~> 1.0, >= 1.0.2) + connection_pool (>= 2.2.5) + drb + i18n (>= 1.6, < 2) + minitest (>= 5.1) + mutex_m + tzinfo (~> 2.0) + ast (2.4.2) + base64 (0.2.0) + benchmark-malloc (0.2.0) + benchmark-perf (0.6.0) + benchmark-trend (0.4.0) + bigdecimal (3.1.4) + binding_of_caller (1.0.0) + debug_inspector (>= 0.0.1) + coderay (1.1.3) + concurrent-ruby (1.2.2) + connection_pool (2.4.1) + debug_inspector (1.1.0) + diff-lcs (1.5.0) + drb (2.2.0) + ruby2_keywords + gitlab-styles (10.1.0) + rubocop (~> 1.50.2) + rubocop-graphql (~> 0.18) + rubocop-performance (~> 1.15) + rubocop-rails (~> 2.17) + rubocop-rspec (~> 2.22) + i18n (1.14.1) + concurrent-ruby (~> 1.0) + json (2.6.3) + minitest (5.20.0) + mutex_m (0.2.0) + parallel (1.23.0) + parser (3.2.2.4) + ast (~> 2.4.1) + racc + proc_to_ast (0.1.0) + coderay + parser + unparser + racc (1.7.1) + rack (3.0.8) + rainbow (3.1.1) + regexp_parser (2.8.2) + rexml (3.2.6) + rspec (3.12.0) + rspec-core (~> 3.12.0) + rspec-expectations (~> 3.12.0) + rspec-mocks (~> 3.12.0) + rspec-benchmark (0.6.0) + benchmark-malloc (~> 0.2) + benchmark-perf (~> 0.6) + benchmark-trend (~> 0.4) + rspec (>= 3.0) + rspec-core (3.12.2) + rspec-support (~> 3.12.0) + rspec-expectations (3.12.3) + diff-lcs (>= 1.2.0, < 2.0) + rspec-support (~> 3.12.0) + rspec-mocks (3.12.6) + diff-lcs (>= 1.2.0, < 2.0) + rspec-support (~> 3.12.0) + rspec-parameterized (1.0.0) + rspec-parameterized-core (< 2) + rspec-parameterized-table_syntax (< 2) + rspec-parameterized-core (1.0.0) + parser + proc_to_ast + rspec (>= 2.13, < 4) + unparser + rspec-parameterized-table_syntax (1.0.1) + binding_of_caller + rspec-parameterized-core (< 2) + rspec-support (3.12.1) + rubocop (1.50.2) + json (~> 2.3) + parallel (~> 1.10) + parser (>= 3.2.0.0) + rainbow (>= 2.2.2, < 4.0) + regexp_parser (>= 1.8, < 3.0) + rexml (>= 3.2.5, < 4.0) + rubocop-ast (>= 1.28.0, < 2.0) + ruby-progressbar (~> 1.7) + unicode-display_width (>= 2.4.0, < 3.0) + rubocop-ast (1.30.0) + parser (>= 3.2.1.0) + rubocop-capybara (2.19.0) + rubocop (~> 1.41) + rubocop-factory_bot (2.24.0) + rubocop (~> 1.33) + rubocop-graphql (0.19.0) + rubocop (>= 0.87, < 2) + rubocop-performance (1.19.1) + rubocop (>= 1.7.0, < 2.0) + rubocop-ast (>= 0.4.0) + rubocop-rails (2.20.0) + activesupport (>= 4.2.0) + rack (>= 1.1) + rubocop (>= 1.33.0, < 2.0) + rubocop-rspec (2.25.0) + rubocop (~> 1.40) + rubocop-capybara (~> 2.17) + rubocop-factory_bot (~> 2.22) + ruby-progressbar (1.13.0) + ruby2_keywords (0.0.5) + tzinfo (2.0.6) + concurrent-ruby (~> 1.0) + unicode-display_width (2.5.0) + unparser (0.6.9) + diff-lcs (~> 1.3) + parser (>= 3.2.2.4) + +PLATFORMS + ruby + +DEPENDENCIES + gitlab-secret_detection! + gitlab-styles (~> 10.1.0) + rspec (~> 3.0) + rspec-benchmark (~> 0.6.0) + rspec-parameterized (~> 1.0) + rubocop (~> 1.50) + rubocop-rails (<= 2.20) + rubocop-rspec (~> 2.22) + +BUNDLED WITH + 2.4.14 diff --git a/gems/gitlab-secret_detection/README.md b/gems/gitlab-secret_detection/README.md new file mode 100644 index 0000000000000000000000000000000000000000..1e1095b234aa16e3b6b7ebd28995b371edc4df6e --- /dev/null +++ b/gems/gitlab-secret_detection/README.md @@ -0,0 +1,3 @@ +# Gitlab::SecretDetection + +The gitlab-secret_detection gem performs keyword and regex matching on git blobs that may include secrets. The gem accepts one or more git blobs, matches them against a defined ruleset of regular expressions, and returns scan results. diff --git a/gems/gitlab-secret_detection/gitlab-secret_detection.gemspec b/gems/gitlab-secret_detection/gitlab-secret_detection.gemspec new file mode 100644 index 0000000000000000000000000000000000000000..ff5121846f4683c2074942949d747c1a3375ffab --- /dev/null +++ b/gems/gitlab-secret_detection/gitlab-secret_detection.gemspec @@ -0,0 +1,34 @@ +# frozen_string_literal: true + +require_relative "lib/gitlab/secret_detection/version" + +Gem::Specification.new do |spec| + spec.name = "gitlab-secret_detection" + spec.version = Gitlab::SecretDetection::VERSION + spec.authors = ["group::static analysis"] + spec.email = ["eng-dev-secure-static-analysis@gitlab.com"] + + spec.summary = "The gitlab-secret_detection gem performs regex matching on git blobs that may include secrets." + spec.description = "The gitlab-secret_detection gem accepts one or more git blobs, + matches them against a defined ruleset of regular expressions (based on gitleaks.toml used by secrets analyzer), + and returns scan results." + spec.homepage = "https://gitlab.com/gitlab-org/gitlab/-/tree/master/gems/gitlab-secret_detection" + spec.license = "MIT" + spec.required_ruby_version = ">= 3.0" + + spec.metadata["rubygems_mfa_required"] = "true" + spec.metadata["homepage_uri"] = spec.homepage + spec.metadata["source_code_uri"] = spec.homepage + spec.metadata["changelog_uri"] = "https://gitlab.com/gitlab-org/gitlab/-/tree/master/gems/gitlab-secret_detection/CHANGELOG.md" + + spec.files = Dir['lib/**/*.rb'] + spec.require_paths = ["lib"] + + spec.add_development_dependency "gitlab-styles", "~> 10.1.0" + spec.add_development_dependency "rspec", "~> 3.0" + spec.add_development_dependency "rspec-benchmark", "~> 0.6.0" + spec.add_development_dependency "rspec-parameterized", "~> 1.0" + spec.add_development_dependency "rubocop", "~> 1.50" + spec.add_development_dependency "rubocop-rails", "<= 2.20" # https://github.com/rubocop/rubocop-rails/issues/1173 + spec.add_development_dependency "rubocop-rspec", "~> 2.22" +end diff --git a/gems/gitlab-secret_detection/lib/gitlab/secret_detection.rb b/gems/gitlab-secret_detection/lib/gitlab/secret_detection.rb new file mode 100644 index 0000000000000000000000000000000000000000..54e0eb794a37f23178fd5029f5765896bd8f8630 --- /dev/null +++ b/gems/gitlab-secret_detection/lib/gitlab/secret_detection.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true + +require_relative "secret_detection/version" + +module Gitlab + module SecretDetection + end +end diff --git a/gems/gitlab-secret_detection/lib/gitlab/secret_detection/version.rb b/gems/gitlab-secret_detection/lib/gitlab/secret_detection/version.rb new file mode 100644 index 0000000000000000000000000000000000000000..8fc73a0212160fc588c4d8c81b16e2bc26ab79d8 --- /dev/null +++ b/gems/gitlab-secret_detection/lib/gitlab/secret_detection/version.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module Gitlab + module SecretDetection + VERSION = "0.1.0" + end +end diff --git a/gems/gitlab-secret_detection/spec/gitlab/secret_detection_spec.rb b/gems/gitlab-secret_detection/spec/gitlab/secret_detection_spec.rb new file mode 100644 index 0000000000000000000000000000000000000000..112ab8c7468c16cee311d28e64ef7f29c5d18f82 --- /dev/null +++ b/gems/gitlab-secret_detection/spec/gitlab/secret_detection_spec.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +RSpec.describe Gitlab::SecretDetection do + it "has a version number" do + expect(Gitlab::SecretDetection::VERSION).not_to be_nil + end +end diff --git a/gems/gitlab-secret_detection/spec/spec_helper.rb b/gems/gitlab-secret_detection/spec/spec_helper.rb new file mode 100644 index 0000000000000000000000000000000000000000..b694e52d2b6a7fafc321b3dc426f562ef52967af --- /dev/null +++ b/gems/gitlab-secret_detection/spec/spec_helper.rb @@ -0,0 +1,18 @@ +# frozen_string_literal: true + +require 'gitlab/secret_detection' +require 'rspec-parameterized' + +RSpec.configure do |config| + # Enable flags like --only-failures and --next-failure + config.example_status_persistence_file_path = ".rspec_status" + + # Disable RSpec exposing methods globally on `Module` and `main` + config.disable_monkey_patching! + + Dir['./spec/support/**/*.rb'].each { |f| require f } + + config.expect_with :rspec do |c| + c.syntax = :expect + end +end