Remove secret_detection job from vendored SAST CI template

.gitlab/ci/reports.gitlab-ci.yml

@@ -81,7 +81,13 @@ nodejs-scan-sast:
 secrets-sast:
   extends: .sast
   image:
-    name: "$SAST_ANALYZER_IMAGE_PREFIX/secrets:$SAST_ANALYZER_IMAGE_TAG"
+    name: "$SAST_ANALYZER_IMAGE_PREFIX/secrets:3"
+  artifacts:
+    paths:
+      - gl-secret-detection-report.json  # GitLab-specific
+    reports:
+      sast: gl-secret-detection-report.json
+    expire_in: 1 week  # GitLab-specific
 
 # We need to duplicate this job's definition because it seems it's impossible to
 # override an included `only.refs`.

changelogs/unreleased/234011-remove-secret-sast-from-sast-template.yml

+---
+title: Remove secret_detection job from vendored SAST CI template
+merge_request: 40028
+author:
+type: removed

doc/user/application_security/sast/analyzers.md

@@ -28,7 +28,6 @@ SAST supports the following official analyzers:
 - [`nodejs-scan`](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan) (NodeJsScan)
 - [`phpcs-security-audit`](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit) (PHP CS security-audit)
 - [`pmd-apex`](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex) (PMD (Apex only))
-- [`secrets`](https://gitlab.com/gitlab-org/security-products/analyzers/secrets) (Secrets (Gitleaks & TruffleHog secret detectors))
 - [`security-code-scan`](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan) (Security Code Scan (.NET))
 - [`sobelow`](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow) (Sobelow (Elixir Phoenix))
 - [`spotbugs`](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) (SpotBugs with the Find Sec Bugs plugin (Ant, Gradle and wrapper, Grails, Maven and wrapper, SBT))

doc/user/application_security/sast/index.md

@@ -65,7 +65,6 @@ The following table shows which languages, package managers and frameworks are s
 |--------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | .NET Core                                                                                                                                        | [Security Code Scan](https://security-code-scan.github.io)                                                    | 11.0, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3                                          |
 | .NET Framework                                                                                                                                   | [Security Code Scan](https://security-code-scan.github.io)                                                    | 13.0, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3                                          |
-| Any                                                                                                                                              | [Gitleaks](https://github.com/zricethezav/gitleaks) and [TruffleHog](https://github.com/dxa4481/truffleHog)   | 11., [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3                                           |
 | Apex (Salesforce)                                                                                                                                | [PMD](https://pmd.github.io/pmd/index.html)                                                                   | 12.1, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3                                          |
 | C/C++                                                                                                                                            | [Flawfinder](https://github.com/david-a-wheeler/flawfinder)                                                   | 10.7, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3                                          |
 | Elixir (Phoenix)                                                                                                                                 | [Sobelow](https://github.com/nccgroup/sobelow)                                                                | 11.10, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3                                         |
@@ -340,11 +339,7 @@ Some analyzers make it possible to filter out vulnerabilities under a given thre
 | `SAST_BANDIT_EXCLUDED_PATHS`  |                          | Comma-separated list of paths to exclude from scan. Uses Python's [`fnmatch` syntax](https://docs.python.org/2/library/fnmatch.html); For example: `'*/tests/*, */venv/*'`                                                  |
 | `SAST_BRAKEMAN_LEVEL`         | 1                        | Ignore Brakeman vulnerabilities under given confidence level. Integer, 1=Low 3=High.                                                                                                                                        |
 | `SAST_FLAWFINDER_LEVEL`       | 1                        | Ignore Flawfinder vulnerabilities under given risk level. Integer, 0=No risk, 5=High risk.                                                                                                                                  |
-| `SAST_GITLEAKS_ENTROPY_LEVEL` | 8.0                      | Minimum entropy for secret detection. Float, 0.0 = low, 8.0 = high.                                                                                                                                                         |
 | `SAST_GOSEC_LEVEL`            | 0                        | Ignore Gosec vulnerabilities under given confidence level. Integer, 0=Undefined, 1=Low, 2=Medium, 3=High.                                                                                                                   |
-| `SAST_GITLEAKS_COMMIT_FROM`   |                          | The commit a Gitleaks scan starts at.                                                                                                                                                                                       |
-| `SAST_GITLEAKS_COMMIT_TO`     |                          | The commit a Gitleaks scan ends at.                                                                                                                                                                                         |
-| `SAST_GITLEAKS_HISTORIC_SCAN` | `false`                  | Flag to enable a historic Gitleaks scan.                                                                                                                                                                                    |
 
 #### Docker-in-Docker orchestrator
 
@@ -543,7 +538,6 @@ registry.gitlab.com/gitlab-org/security-products/analyzers/kubesec:2
 registry.gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan:2
 registry.gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit:2
 registry.gitlab.com/gitlab-org/security-products/analyzers/pmd-apex:2
-registry.gitlab.com/gitlab-org/security-products/analyzers/secrets:2
 registry.gitlab.com/gitlab-org/security-products/analyzers/security-code-scan:2
 registry.gitlab.com/gitlab-org/security-products/analyzers/sobelow:2
 registry.gitlab.com/gitlab-org/security-products/analyzers/spotbugs:2

ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb

@@ -36,28 +36,27 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
           using RSpec::Parameterized::TableSyntax
 
           where(:case_name, :files, :variables, :include_build_names) do
-            'No match'             | { 'README.md' => '' }                | {}                                        | %w(secrets-sast)
-            'Apex'                 | { 'app.cls' => '' }                  | {}                                        | %w(pmd-apex-sast secrets-sast)
-            'C'                    | { 'app.c' => '' }                    | {}                                        | %w(flawfinder-sast secrets-sast)
-            'C++'                  | { 'app.cpp' => '' }                  | {}                                        | %w(flawfinder-sast secrets-sast)
-            'C#'                   | { 'app.csproj' => '' }               | {}                                        | %w(security-code-scan-sast secrets-sast)
-            'Elixir'               | { 'mix.exs' => '' }                  | {}                                        | %w(sobelow-sast secrets-sast)
-            'Golang'               | { 'main.go' => '' }                  | {}                                        | %w(gosec-sast secrets-sast)
-            'Groovy'               | { 'app.groovy' => '' }               | {}                                        | %w(spotbugs-sast secrets-sast)
-            'Java'                 | { 'app.java' => '' }                 | {}                                        | %w(spotbugs-sast secrets-sast)
-            'Javascript'           | { 'app.js' => '' }                   | {}                                        | %w(eslint-sast secrets-sast)
-            'JSX'                  | { 'app.jsx' => '' }                  | {}                                        | %w(eslint-sast secrets-sast)
-            'Javascript Node'      | { 'package.json' => '' }             | {}                                        | %w(nodejs-scan-sast secrets-sast)
-            'HTML'                 | { 'index.html' => '' }               | {}                                        | %w(eslint-sast secrets-sast)
-            'Kubernetes Manifests' | { 'Chart.yaml' => '' }               | { 'SCAN_KUBERNETES_MANIFESTS' => 'true' } | %w(kubesec-sast secrets-sast)
-            'Multiple languages'   | { 'app.java' => '', 'app.js' => '' } | {}                                        | %w(eslint-sast spotbugs-sast secrets-sast)
-            'PHP'                  | { 'app.php' => '' }                  | {}                                        | %w(phpcs-security-audit-sast secrets-sast)
-            'Python'               | { 'app.py' => '' }                   | {}                                        | %w(bandit-sast secrets-sast)
-            'Ruby'                 | { 'config/routes.rb' => '' }         | {}                                        | %w(brakeman-sast secrets-sast)
-            'Scala'                | { 'app.scala' => '' }                | {}                                        | %w(spotbugs-sast secrets-sast)
-            'Typescript'           | { 'app.ts' => '' }                   | {}                                        | %w(eslint-sast secrets-sast)
-            'Typescript JSX'       | { 'app.tsx' => '' }                  | {}                                        | %w(eslint-sast secrets-sast)
-            'Visual Basic'         | { 'app.vbproj' => '' }               | {}                                        | %w(security-code-scan-sast secrets-sast)
+            'Apex'                 | { 'app.cls' => '' }                  | {}                                        | %w(pmd-apex-sast)
+            'C'                    | { 'app.c' => '' }                    | {}                                        | %w(flawfinder-sast)
+            'C++'                  | { 'app.cpp' => '' }                  | {}                                        | %w(flawfinder-sast)
+            'C#'                   | { 'app.csproj' => '' }               | {}                                        | %w(security-code-scan-sast)
+            'Elixir'               | { 'mix.exs' => '' }                  | {}                                        | %w(sobelow-sast)
+            'Golang'               | { 'main.go' => '' }                  | {}                                        | %w(gosec-sast)
+            'Groovy'               | { 'app.groovy' => '' }               | {}                                        | %w(spotbugs-sast)
+            'Java'                 | { 'app.java' => '' }                 | {}                                        | %w(spotbugs-sast)
+            'Javascript'           | { 'app.js' => '' }                   | {}                                        | %w(eslint-sast)
+            'JSX'                  | { 'app.jsx' => '' }                  | {}                                        | %w(eslint-sast)
+            'Javascript Node'      | { 'package.json' => '' }             | {}                                        | %w(nodejs-scan-sast)
+            'HTML'                 | { 'index.html' => '' }               | {}                                        | %w(eslint-sast)
+            'Kubernetes Manifests' | { 'Chart.yaml' => '' }               | { 'SCAN_KUBERNETES_MANIFESTS' => 'true' } | %w(kubesec-sast)
+            'Multiple languages'   | { 'app.java' => '', 'app.js' => '' } | {}                                        | %w(eslint-sast spotbugs-sast)
+            'PHP'                  | { 'app.php' => '' }                  | {}                                        | %w(phpcs-security-audit-sast)
+            'Python'               | { 'app.py' => '' }                   | {}                                        | %w(bandit-sast)
+            'Ruby'                 | { 'config/routes.rb' => '' }         | {}                                        | %w(brakeman-sast)
+            'Scala'                | { 'app.scala' => '' }                | {}                                        | %w(spotbugs-sast)
+            'Typescript'           | { 'app.ts' => '' }                   | {}                                        | %w(eslint-sast)
+            'Typescript JSX'       | { 'app.tsx' => '' }                  | {}                                        | %w(eslint-sast)
+            'Visual Basic'         | { 'app.vbproj' => '' }               | {}                                        | %w(security-code-scan-sast)
           end
 
           with_them do

lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml

@@ -9,7 +9,7 @@ variables:
   # (SAST, Dependency Scanning, ...)
   SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
 
-  SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kubesec"
+  SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, sobelow, pmd-apex, kubesec"
   SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
   SAST_ANALYZER_IMAGE_TAG: 2
   SAST_DISABLE_DIND: "true"
@@ -186,18 +186,6 @@ pmd-apex-sast:
       exists:
         - '**/*.cls'
 
-secrets-sast:
-  extends: .sast-analyzer
-  image:
-    name: "$SAST_ANALYZER_IMAGE"
-  variables:
-    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/secrets:$SAST_ANALYZER_IMAGE_TAG"
-  rules:
-    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
-      when: never
-    - if: $CI_COMMIT_BRANCH &&
-          $SAST_DEFAULT_ANALYZERS =~ /secrets/
-
 security-code-scan-sast:
   extends: .sast-analyzer
   image:

spec/services/ci/create_pipeline_service_spec.rb

@@ -513,7 +513,7 @@ RSpec.describe Ci::CreatePipelineService do
         it 'pull it from Auto-DevOps' do
           pipeline = execute_service
           expect(pipeline).to be_auto_devops_source
-          expect(pipeline.builds.map(&:name)).to match_array(%w[build code_quality eslint-sast secret_detection_default_branch secrets-sast test])
+          expect(pipeline.builds.map(&:name)).to match_array(%w[build code_quality eslint-sast secret_detection_default_branch test])
         end
       end