Initial AutoDevops doc changes for Auto Secret

changelogs/unreleased/autodevops-secrets.yml

+---
+title: Add secret detection template to Auto DevOps
+merge_request: 34467
+author:
+type: changed

doc/topics/autodevops/index.md

@@ -85,6 +85,7 @@ project in a simple and automatic way:
 1. [Auto Test](stages.md#auto-test)
 1. [Auto Code Quality](stages.md#auto-code-quality-starter) **(STARTER)**
 1. [Auto SAST (Static Application Security Testing)](stages.md#auto-sast-ultimate) **(ULTIMATE)**
+1. [Auto Secret Detection](stages.md#auto-secret-detection-ultimate) **(ULTIMATE)**
 1. [Auto Dependency Scanning](stages.md#auto-dependency-scanning-ultimate) **(ULTIMATE)**
 1. [Auto License Compliance](stages.md#auto-license-compliance-ultimate) **(ULTIMATE)**
 1. [Auto Container Scanning](stages.md#auto-container-scanning-ultimate) **(ULTIMATE)**

doc/topics/autodevops/quick_start_guide.md

@@ -182,6 +182,7 @@ The jobs are separated into stages:
     ([Auto Dependency Scanning](stages.md#auto-dependency-scanning-ultimate)) **(ULTIMATE)**
   - Jobs suffixed with `-sast` run static analysis on the current code to check for potential
     security issues, and are allowed to fail ([Auto SAST](stages.md#auto-sast-ultimate)) **(ULTIMATE)**
+  - The `secret-detection` job checks for leaked secrets and is allowed to fail ([Auto Secret Detection](stages.md#auto-secret-detection-ultimate)) **(ULTIMATE)**
   - The `license_management` job searches the application's dependencies to determine each of their
     licenses and is allowed to fail
     ([Auto License Compliance](stages.md#auto-license-compliance-ultimate)) **(ULTIMATE)**

doc/topics/autodevops/stages.md

@@ -144,6 +144,22 @@ warnings.
 To learn more about [how SAST works](../../user/application_security/sast/index.md),
 see the documentation.
 
+## Auto Secret Detection **(ULTIMATE)**
+
+> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.1.
+
+Secret Detection uses the
+[Secret Detection Docker image](https://gitlab.com/gitlab-org/security-products/analyzers/secrets) to run Secret Detection on the current code, and checks for leaked secrets. The
+Auto Secret Detection stage runs only on the
+[Ultimate](https://about.gitlab.com/pricing/) tier, and requires
+[GitLab Runner](https://docs.gitlab.com/runner/) 11.5 or above.
+
+After creating the report, it's uploaded as an artifact which you can later
+download and evaluate. The merge request widget also displays any security
+warnings.
+
+To learn more, see [Secret Detection](../../user/application_security/secret_detection/index.md).
+
 ## Auto Dependency Scanning **(ULTIMATE)**
 
 > Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.7.

doc/user/application_security/index.md

@@ -17,14 +17,15 @@ For an overview of application security with GitLab, see
 
 ## Quick start
 
-Get started quickly with Dependency Scanning, License Scanning, and Static Application Security
-Testing (SAST) by adding the following to your `.gitlab-ci.yml`:
+Get started quickly with Dependency Scanning, License Scanning, Static Application Security
+Testing (SAST), and Secret Detection by adding the following to your `.gitlab-ci.yml`:
 
 ```yaml
 include:
   - template: Dependency-Scanning.gitlab-ci.yml
   - template: License-Scanning.gitlab-ci.yml
   - template: SAST.gitlab-ci.yml
+  - template: Secret-Detection.gitlab-ci.yml
 ```
 
 To add Dynamic Application Security Testing (DAST) scanning, add the following to your
@@ -64,6 +65,19 @@ GitLab uses the following tools to scan and report known vulnerabilities found i
 | [Security Dashboard](security_dashboard/index.md) **(ULTIMATE)**             | View vulnerabilities in all your projects and groups.                  |
 | [Static Application Security Testing (SAST)](sast/index.md) **(ULTIMATE)**   | Analyze source code for known vulnerabilities.                         |
 
+## Security Scanning with Auto DevOps
+
+When [Auto DevOps](../../topics/autodevops/) is enabled, all GitLab Security scanning tools will be configured using default settings.
+
+- [Auto SAST](../../topics/autodevops/stages.md#auto-sast-ultimate)
+- [Auto Secret Detection](../../topics/autodevops/stages.md#auto-secret-detection-ultimate)
+- [Auto DAST](../../topics/autodevops/stages.md#auto-dast-ultimate)
+- [Auto Dependency Scanning](../../topics/autodevops/stages.md#auto-dependency-scanning-ultimate)
+- [Auto License Compliance](../../topics/autodevops/stages.md#auto-license-compliance-ultimate)
+- [Auto Container Scanning](../../topics/autodevops/stages.md#auto-container-scanning-ultimate)
+
+While you cannot directly customize Auto DevOps, you can [include the Auto DevOps template in your project's `.gitlab-ci.yml` file](../../topics/autodevops/customize.md#customizing-gitlab-ciyml).
+
 ## Maintenance and update of the vulnerabilities database
 
 The scanning tools and vulnerabilities database are updated regularly.

doc/user/application_security/secret_detection/index.md

@@ -50,6 +50,10 @@ with a dollar sign (`$`) as this likely indicates the password being used is an
 variable. For example, `https://username:$password@example.com/path/to/repo` won't be
 detected, whereas `https://username:password@example.com/path/to/repo` would be detected.
 
+NOTE: **Note:**
+You don't have to configure Secret Detection manually as shown in this section if you're using [Auto Secret Detection](../../../topics/autodevops/stages.md#auto-secret-detection-ultimate)
+provided by [Auto DevOps](../../../topics/autodevops/index.md).
+
 ## Full History Secret Scan
 
 GitLab 12.11 introduced support for scanning the full history of a repository. This new functionality

lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml

@@ -13,6 +13,7 @@
 # * license_management: LICENSE_MANAGEMENT_DISABLED
 # * performance: PERFORMANCE_DISABLED
 # * sast: SAST_DISABLED
+# * secret_detection: SECRET_DETECTION_DISABLED
 # * dependency_scanning: DEPENDENCY_SCANNING_DISABLED
 # * container_scanning: CONTAINER_SCANNING_DISABLED
 # * dast: DAST_DISABLED
@@ -160,3 +161,4 @@ include:
   - template: Security/Dependency-Scanning.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
   - template: Security/License-Scanning.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml
   - template: Security/SAST.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
+  - template: Security/Secret-Detection.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml