Merge branch 'update-sd-git-log' into 'master'

Update secret-detection git log command See merge request gitlab-org/gitlab!77722

Merge branch 'update-sd-git-log' into 'master'
Update secret-detection git log command See merge request gitlab-org/gitlab!77722
4ee3f688 · Mark Chao · 00c39d32 · 7c0576b5 · 4ee3f688 · 4ee3f688
Commit 4ee3f688 authored Jan 11, 2022 by Mark Chao
3 changed files
--- a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
+++ b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
@@ -136,16 +136,8 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
        it_behaves_like 'with different scan type' do
          let(:expected_configuration) do
            {
-              'secret-detection-0': {
+              'secret-detection-0': hash_including(
                rules: [{ if: '$SECRET_DETECTION_DISABLED', when: 'never' }, { if: '$CI_COMMIT_BRANCH' }],
-                script:
-                  ['if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi',
-                   'if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi',
-                   'git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME',
-                   'git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_COMMIT_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt',
-                   'export SECRET_DETECTION_COMMITS_FILE="$CI_COMMIT_SHA"_commit_list.txt',
-                   '/analyzer run',
-                   'rm "$CI_COMMIT_SHA"_commit_list.txt'],
                stage: 'test',
                image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION',
                services: [],
@@ -160,8 +152,7 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
                  SECRETS_ANALYZER_VERSION: '3',
                  SECRET_DETECTION_EXCLUDED_PATHS: '',
                  SECRET_DETECTION_HISTORIC_SCAN: 'false'
-                }
+                })
-              }
            }
          end
        end

--- a/ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb
@@ -29,14 +29,6 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d
        it 'returns prepared CI configuration with Secret Detection scans' do
          expected_configuration = {
            rules: [{ if: '$SECRET_DETECTION_DISABLED', when: 'never' }, { if: '$CI_COMMIT_BRANCH' }],
-            script:
-              ['if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi',
-               'if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi',
-               'git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME',
-               'git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_COMMIT_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt',
-               'export SECRET_DETECTION_COMMITS_FILE="$CI_COMMIT_SHA"_commit_list.txt',
-               '/analyzer run',
-               'rm "$CI_COMMIT_SHA"_commit_list.txt'],
            stage: 'test',
            image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION',
            services: [],
@@ -54,7 +46,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d
            }
          }
-          expect(subject.deep_symbolize_keys).to eq(expected_configuration)
+          expect(subject.deep_symbolize_keys).to include(expected_configuration)
        end
      end

--- a/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
@@ -29,8 +29,16 @@ secret_detection:
  script:
    - if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi
    - if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi
-    - git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME
+    - |
-    - git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_COMMIT_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt
+      git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME
-    - export SECRET_DETECTION_COMMITS_FILE="$CI_COMMIT_SHA"_commit_list.txt
+      git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/${CI_DEFAULT_BRANCH}..refs/remotes/origin/${CI_COMMIT_REF_NAME} >${CI_COMMIT_SHA}_commit_list.txt
+      if [[ $(wc -l <${CI_COMMIT_SHA}_commit_list.txt) -eq "0" ]]; then
+        # if git log produces 0 or 1 commits we should scan $CI_COMMIT_SHA only
+        export SECRET_DETECTION_COMMITS=$CI_COMMIT_SHA
+      else
+        # +1 because busybox wc only counts \n and there is no trailing \n
+        echo "scanning $(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 1)) commits"
+        export SECRET_DETECTION_COMMITS_FILE=${CI_COMMIT_SHA}_commit_list.txt
+      fi
    - /analyzer run
    - rm "$CI_COMMIT_SHA"_commit_list.txt