Update Secret Detection template

Changelog: changed

lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml

@@ -30,24 +30,49 @@ secret_detection:
     - if: $CI_COMMIT_BRANCH
   script:
     - if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi
-    - if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi
+    # Historic scan
     - |
-      # we don't need the whole history when excluding in the next `git fetch` line,
-      # so git depth=1
-      git fetch origin --depth=1 $CI_DEFAULT_BRANCH
-      # shallow clone $CI_COMMIT_REF_NAME to get commits associated with MR or push
-      git fetch --shallow-exclude=${CI_DEFAULT_BRANCH} origin $CI_COMMIT_REF_NAME
-      # determine what commits we need to scan using "git log A..B"
-      git log --no-merges --pretty=format:"%H" refs/remotes/origin/${CI_DEFAULT_BRANCH}..refs/remotes/origin/${CI_COMMIT_REF_NAME} >${CI_COMMIT_SHA}_commit_list.txt
+      if [ "$SECRET_DETECTION_HISTORIC_SCAN" == "true" ]
+      then
+        echo "historic scan"
+        git fetch --unshallow origin $CI_COMMIT_REF_NAME
+        /analyzer run
+        exit
+      fi
+    # Default branch scan
+    - if [ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit; fi
+    # Push event
+    - |
+      if [ "$CI_COMMIT_BEFORE_SHA" == "0000000000000000000000000000000000000000" ];
+      then
+        # first commit on a new branch
+        echo ${CI_COMMIT_SHA} >${CI_COMMIT_SHA}_commit_list.txt
+        git fetch --depth=2 origin $CI_COMMIT_REF_NAME
+      else
+        # determine commit range so that we can fetch the appropriate depth
+        set +e # ignore exit on failure
+        git log --no-merges --pretty=format:"%H" ${CI_COMMIT_BEFORE_SHA}..${CI_COMMIT_SHA} >${CI_COMMIT_SHA}_commit_list.txt
+
+        # check the exit code of the previous command to determine if we need to limit the commit_list.txt to CI_COMMIT_SHA.
+        if [ $? -ne 0 ];
+        then
+          echo "unable to determine commit range, limiting to ${CI_COMMIT_SHA}"
+          echo ${CI_COMMIT_SHA} >${CI_COMMIT_SHA}_commit_list.txt
+        else
+          # append newline to to list since `git log` does not end with a
+          # newline, this is to keep the log messages consistent
+          echo >> ${CI_COMMIT_SHA}_commit_list.txt
+        fi
 
-      # we need to extend the git fetch depth to the number of commits + 2 for the following reasons:
-      # because busybox wc only counts \n and there is no trailing \n (+1)
-      # include the parent commit of the base commit in this MR/Push event. This is needed because
-      # `git diff -p` needs something to compare changes in that commit against (+1)
-      git fetch --depth=$(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 2)) origin $CI_COMMIT_REF_NAME
+        # re-enable exit on failure
+        set -e
 
-      # +1 because busybox wc only counts \n and there is no trailing \n
-      echo "scanning $(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 1)) commits"
+        # we need to extend the git fetch depth to the number of commits + 1 for the following reasons:
+        # to include the parent commit of the base commit in this MR/Push event. This is needed because
+        # `git diff -p` needs something to compare changes in that commit against
+        git fetch --depth=$(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 1)) origin $CI_COMMIT_REF_NAME
+      fi
+      echo "scanning $(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt))) commits for a push event"
       export SECRET_DETECTION_COMMITS_FILE=${CI_COMMIT_SHA}_commit_list.txt
     - /analyzer run
     - rm "$CI_COMMIT_SHA"_commit_list.txt