From 6e983e9d3d9663e3f954baaa4d3790b0d1de7f5b Mon Sep 17 00:00:00 2001 From: Ethan Urie Date: Fri, 7 Jun 2024 16:49:10 -0400 Subject: [PATCH 1/7] Add event tracking and metrics for skipping secret detection --- ee/lib/gitlab/checks/secrets_check.rb | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/ee/lib/gitlab/checks/secrets_check.rb b/ee/lib/gitlab/checks/secrets_check.rb index 744438e7b104f4..07362f4f46fc28 100644 --- a/ee/lib/gitlab/checks/secrets_check.rb +++ b/ee/lib/gitlab/checks/secrets_check.rb @@ -3,6 +3,8 @@ module Gitlab module Checks class SecretsCheck < ::Gitlab::Checks::BaseBulkChecker + include Gitlab::InternalEventsTracking + ERROR_MESSAGES = { failed_to_scan_regex_error: "\n - Failed to scan blob(id: %{blob_id}) due to regex error.", blob_timed_out_error: "\n - Scanning blob(id: %{blob_id}) timed out.", @@ -54,12 +56,14 @@ def validate! # Skip if any commit has the special bypass flag `[skip secret detection]` if skip_secret_detection_commit_message? - log_audit_event(_("commit message")) + log_audit_event(_("commit message")) # Keeping this a string so I18N picks it up + track_sd_skipped("commit message") return end if skip_secret_detection_push_option? - log_audit_event(_("push option")) + log_audit_event(_("push option")) # Keeping this a string so I18N picks it up + track_sd_skipped("push option") return end @@ -138,6 +142,18 @@ def log_audit_event(skip_method) ::Gitlab::Audit::Auditor.audit(audit_context) end + def track_sd_skipped(skip_method) + track_internal_event( + "skip_secret_detection_on_push", + user: changes_access.user_access.user, + project: project, + namespace: project.namespace, + additional_properties: { + label: skip_method + } + ) + end + def format_response(response) # Try to retrieve file path and commit sha for the blobs found. if [ -- GitLab From 77e4cf77beaf7d876ac2cdbe003ccd756e0bca78 Mon Sep 17 00:00:00 2001 From: Ethan Urie Date: Mon, 10 Jun 2024 20:24:11 -0400 Subject: [PATCH 2/7] Revert accidental commit in secrets_check.rb --- ee/lib/gitlab/checks/secrets_check.rb | 20 ++------------------ 1 file changed, 2 insertions(+), 18 deletions(-) diff --git a/ee/lib/gitlab/checks/secrets_check.rb b/ee/lib/gitlab/checks/secrets_check.rb index 07362f4f46fc28..744438e7b104f4 100644 --- a/ee/lib/gitlab/checks/secrets_check.rb +++ b/ee/lib/gitlab/checks/secrets_check.rb @@ -3,8 +3,6 @@ module Gitlab module Checks class SecretsCheck < ::Gitlab::Checks::BaseBulkChecker - include Gitlab::InternalEventsTracking - ERROR_MESSAGES = { failed_to_scan_regex_error: "\n - Failed to scan blob(id: %{blob_id}) due to regex error.", blob_timed_out_error: "\n - Scanning blob(id: %{blob_id}) timed out.", @@ -56,14 +54,12 @@ def validate! # Skip if any commit has the special bypass flag `[skip secret detection]` if skip_secret_detection_commit_message? - log_audit_event(_("commit message")) # Keeping this a string so I18N picks it up - track_sd_skipped("commit message") + log_audit_event(_("commit message")) return end if skip_secret_detection_push_option? - log_audit_event(_("push option")) # Keeping this a string so I18N picks it up - track_sd_skipped("push option") + log_audit_event(_("push option")) return end @@ -142,18 +138,6 @@ def log_audit_event(skip_method) ::Gitlab::Audit::Auditor.audit(audit_context) end - def track_sd_skipped(skip_method) - track_internal_event( - "skip_secret_detection_on_push", - user: changes_access.user_access.user, - project: project, - namespace: project.namespace, - additional_properties: { - label: skip_method - } - ) - end - def format_response(response) # Try to retrieve file path and commit sha for the blobs found. if [ -- GitLab From 839f2e410a586c02d0123a0581a6baeaa5573135 Mon Sep 17 00:00:00 2001 From: Ethan Urie Date: Tue, 11 Jun 2024 16:56:30 -0400 Subject: [PATCH 3/7] Add database metric for projects with SPP enabled --- ...h_secret_push_protection_enabled_metric.rb | 17 ++++++++++++++ ...ret_push_protection_enabled_metric_spec.rb | 23 +++++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 ee/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric.rb create mode 100644 ee/spec/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric_spec.rb diff --git a/ee/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric.rb b/ee/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric.rb new file mode 100644 index 00000000000000..b73308bd6f3aef --- /dev/null +++ b/ee/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric.rb @@ -0,0 +1,17 @@ +# frozen_string_literal: true + +module Gitlab + module Usage + module Metrics + module Instrumentations + class CountProjectsWithSecretPushProtectionEnabledMetric < DatabaseMetric + operation :count + + relation do + ProjectSecuritySetting.where(pre_receive_secret_detection_enabled: true) + end + end + end + end + end +end diff --git a/ee/spec/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric_spec.rb b/ee/spec/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric_spec.rb new file mode 100644 index 00000000000000..c6468e48516425 --- /dev/null +++ b/ee/spec/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric_spec.rb @@ -0,0 +1,23 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Gitlab::Usage::Metrics::Instrumentations::CountProjectsWithSecretPushProtectionEnabledMetric, feature_category: :service_ping do + let(:project1) { create(:project) } + let(:project2) { create(:project) } + let(:project3) { create(:project) } + let(:project4) { create(:project) } + + let(:expected_value) { 3 } + + before do + project1.security_setting.pre_receive_secret_detection_enabled = true + project1.security_setting.save! + project3.security_setting.pre_receive_secret_detection_enabled = true + project3.security_setting.save! + project4.security_setting.pre_receive_secret_detection_enabled = true + project4.security_setting.save! + end + + it_behaves_like 'a correct instrumented metric value', { time_frame: 'all', data_source: 'database' } +end -- GitLab From 4e826a62bed668fedc90af07ec1a5e352dad9318 Mon Sep 17 00:00:00 2001 From: Ethan Urie Date: Wed, 12 Jun 2024 13:40:39 +0000 Subject: [PATCH 4/7] Switch `let` to `let_it_be` --- ..._secret_push_protection_enabled_metric_spec.rb | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/ee/spec/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric_spec.rb b/ee/spec/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric_spec.rb index c6468e48516425..1808574e1f4a7e 100644 --- a/ee/spec/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric_spec.rb +++ b/ee/spec/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric_spec.rb @@ -3,20 +3,13 @@ require 'spec_helper' RSpec.describe Gitlab::Usage::Metrics::Instrumentations::CountProjectsWithSecretPushProtectionEnabledMetric, feature_category: :service_ping do - let(:project1) { create(:project) } - let(:project2) { create(:project) } - let(:project3) { create(:project) } - let(:project4) { create(:project) } - let(:expected_value) { 3 } before do - project1.security_setting.pre_receive_secret_detection_enabled = true - project1.security_setting.save! - project3.security_setting.pre_receive_secret_detection_enabled = true - project3.security_setting.save! - project4.security_setting.pre_receive_secret_detection_enabled = true - project4.security_setting.save! + 3.times do + create(:project).security_setting.update!(pre_receive_secret_detection_enabled: true) + end + create(:project) end it_behaves_like 'a correct instrumented metric value', { time_frame: 'all', data_source: 'database' } -- GitLab From 174a07b1b325764d9fefaf1b77ccddfc3919dcc2 Mon Sep 17 00:00:00 2001 From: Ethan Urie Date: Wed, 12 Jun 2024 14:48:27 -0400 Subject: [PATCH 5/7] Add metric definition yaml file --- ...jects_with_secret_push_protection_enabled.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 config/metrics/counts_all/count_total_projects_with_secret_push_protection_enabled.yml diff --git a/config/metrics/counts_all/count_total_projects_with_secret_push_protection_enabled.yml b/config/metrics/counts_all/count_total_projects_with_secret_push_protection_enabled.yml new file mode 100644 index 00000000000000..de8af53f076407 --- /dev/null +++ b/config/metrics/counts_all/count_total_projects_with_secret_push_protection_enabled.yml @@ -0,0 +1,16 @@ +data_category: optional +key_path: counts.projects_with_secret_push_protection_enabled +description: Count of projects with Secret Push Protection enabled +product_group: secret_detection +value_type: number +status: active +milestone: 17.1 +instrumentation_class: CountProjectsWithSecretPushProtectionEnabledMetric +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156076 +time_frame: all +data_source: database +distribution: +- ee +tier: +- ultimate + -- GitLab From c27e063ec2cb18de792aa965018128935891371d Mon Sep 17 00:00:00 2001 From: Ethan Urie Date: Thu, 13 Jun 2024 11:59:31 -0400 Subject: [PATCH 6/7] Move metric definition file to ee/config/metrics since it's EE-only --- .../count_total_projects_with_secret_push_protection_enabled.yml | 1 - 1 file changed, 1 deletion(-) rename {config => ee/config}/metrics/counts_all/count_total_projects_with_secret_push_protection_enabled.yml (99%) diff --git a/config/metrics/counts_all/count_total_projects_with_secret_push_protection_enabled.yml b/ee/config/metrics/counts_all/count_total_projects_with_secret_push_protection_enabled.yml similarity index 99% rename from config/metrics/counts_all/count_total_projects_with_secret_push_protection_enabled.yml rename to ee/config/metrics/counts_all/count_total_projects_with_secret_push_protection_enabled.yml index de8af53f076407..0781c2e40f5a50 100644 --- a/config/metrics/counts_all/count_total_projects_with_secret_push_protection_enabled.yml +++ b/ee/config/metrics/counts_all/count_total_projects_with_secret_push_protection_enabled.yml @@ -13,4 +13,3 @@ distribution: - ee tier: - ultimate - -- GitLab From c72058412d43bafad31089bcd76327f72816cd35 Mon Sep 17 00:00:00 2001 From: Ethan Urie Date: Mon, 17 Jun 2024 10:20:42 -0400 Subject: [PATCH 7/7] Make the milestone value a string --- ...count_total_projects_with_secret_push_protection_enabled.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ee/config/metrics/counts_all/count_total_projects_with_secret_push_protection_enabled.yml b/ee/config/metrics/counts_all/count_total_projects_with_secret_push_protection_enabled.yml index 0781c2e40f5a50..f9d46716a76e39 100644 --- a/ee/config/metrics/counts_all/count_total_projects_with_secret_push_protection_enabled.yml +++ b/ee/config/metrics/counts_all/count_total_projects_with_secret_push_protection_enabled.yml @@ -4,7 +4,7 @@ description: Count of projects with Secret Push Protection enabled product_group: secret_detection value_type: number status: active -milestone: 17.1 +milestone: "17.1" instrumentation_class: CountProjectsWithSecretPushProtectionEnabledMetric introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156076 time_frame: all -- GitLab