From 388180a158336816024116de0e9e89a31a27eefc Mon Sep 17 00:00:00 2001
From: Igor Drozdov <idrozdov@gitlab.com>
Date: Tue, 19 Mar 2024 18:12:24 +0100
Subject: [PATCH] Allow bypassing GitGuardian integration

When a commit contains [skip secret detection], the
GitGuardian integration check is skipped
---
 .../gitlab/checks/integrations/git_guardian_check.rb   |  6 ++++++
 .../checks/integrations/git_guardian_check_spec.rb     | 10 ++++++++++
 2 files changed, 16 insertions(+)

diff --git a/ee/lib/gitlab/checks/integrations/git_guardian_check.rb b/ee/lib/gitlab/checks/integrations/git_guardian_check.rb
index 7038d5ad722f01..ff20ff05023a6c 100644
--- a/ee/lib/gitlab/checks/integrations/git_guardian_check.rb
+++ b/ee/lib/gitlab/checks/integrations/git_guardian_check.rb
@@ -7,6 +7,7 @@ class GitGuardianCheck < ::Gitlab::Checks::BaseBulkChecker
         BLOB_BYTES_LIMIT = 1.megabyte
 
         LOG_MESSAGE = 'Starting GitGuardian scan...'
+        SPECIAL_COMMIT_FLAG = /\[skip secret detection\]/i
 
         def initialize(integration_check)
           @changes_access = integration_check.changes_access
@@ -14,6 +15,7 @@ def initialize(integration_check)
 
         def validate!
           return unless integration_activated?
+          return if skip_secret_detection?
 
           logger.log_timed(LOG_MESSAGE) do
             blobs = changed_blobs(timeout: logger.time_left)
@@ -39,6 +41,10 @@ def changed_blobs(timeout:)
           ).execute(timeout: timeout)
         end
 
+        def skip_secret_detection?
+          changes_access.commits.any? { |commit| commit.safe_message =~ SPECIAL_COMMIT_FLAG }
+        end
+
         def revisions
           @revisions ||= changes_access
                            .changes
diff --git a/ee/spec/lib/gitlab/checks/integrations/git_guardian_check_spec.rb b/ee/spec/lib/gitlab/checks/integrations/git_guardian_check_spec.rb
index e275b8062e9eb5..1ef35aea134d09 100644
--- a/ee/spec/lib/gitlab/checks/integrations/git_guardian_check_spec.rb
+++ b/ee/spec/lib/gitlab/checks/integrations/git_guardian_check_spec.rb
@@ -91,6 +91,16 @@
             expect { git_guardian_check.validate! }
               .to raise_error(::Gitlab::GitAccess::ForbiddenError, policy_breaks_message)
           end
+
+          context 'when a commit contains a special flag' do
+            it 'does not raise an error' do
+              allow(changes_access.commits.first).to receive(:safe_message).and_return(
+                "#{changes_access.commits.first.safe_message}\n[skip secret detection]"
+              )
+
+              expect { git_guardian_check.validate! }.not_to raise_error
+            end
+          end
         end
       end
     end
-- 
GitLab