Split secret detection into default and non-default branches jobs

changelogs/unreleased/36860-secret-detection-branch-job.yml

+---
+title: Add default and non-default branch jobs for secret detection
+merge_request: 36570
+author:
+type: added

lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml

@@ -8,17 +8,33 @@ variables:
   SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
   SECRETS_ANALYZER_VERSION: "3"
 
-secret_detection:
+.secret-analyzer:
   stage: test
   image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION"
   services: []
-  rules:
-    - if: $SECRET_DETECTION_DISABLED
-      when: never
-    - if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsecret_detection\b/
-      when: on_success
   artifacts:
     reports:
       secret_detection: gl-secret-detection-report.json
+
+secret_detection_default_branch:
+  extends: .secret-analyzer
+  rules:
+    - if: $SECRET_DETECTION_DISABLED
+      when: never
+    - if: $CI_DEFAULT_BRANCH == $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsecret_detection\b/
+  script:
+    - /analyzer run
+
+secret_detection:
+  extends: .secret-analyzer
+  rules:
+    - if: $SECRET_DETECTION_DISABLED
+      when: never
+    - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsecret_detection\b/
   script:
+    - git fetch origin $CI_DEFAULT_BRANCH $CI_BUILD_REF_NAME
+    - export SECRET_DETECTION_COMMIT_TO=$(git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_BUILD_REF_NAME | tail -n 1)
+    - export SECRET_DETECTION_COMMIT_FROM=$CI_COMMIT_SHA
     - /analyzer run