Pre-receive secret detection
- Introduced in GitLab 16.7 as an Experiment for GitLab Dedicated customers.
Block secrets such as keys and API tokens from being pushed to your GitLab instance. Pre-receive secret detection is triggered when commits are pushed to any repository. If any secrets are detected, the push is blocked.
Pre-receive secret detection is an Experiment, and only available on GitLab Dedicated. To use secret detection in your instance, use pipeline secret detection instead.
Enable pre-receive secret detection
Prerequisites:
- You must be an administrator for your GitLab Dedicated instance.
- Sign in to your GitLab Dedicated instance as an administrator.
- On the left sidebar, at the bottom, select Admin Area.
- Select Settings > Security and Compliance.
- Expand Secret Detection.
- Select the Enable pre-receive secret detection checkbox.
Limitations
- This feature only scans non-binary blobs under 1 MiB in size. Binary blobs and blobs larger than 1 MiB are not scanned.
- The scan does not analyze the content of a commit if it is identical to the content of another file already present in the source code.
- The scan skips analyzing files that are renamed, deleted, or moved, unless their content is modified in the same commit.
- The feature does not analyze files that are introduced during a repository creation.
Resolve a blocked push
If the blocked secret was added with the most recent commit on your branch:
- Remove the secrets from the files.
- Stage the changes with
git add <file-name>
. - Modify the most recent commit to include the changed files with
git commit --amend
. - Push your changes with
git push
.
If the blocked secret appears earlier in your Git history:
- Identify the commit SHA from the push error message. If there are multiple, find the earliest using
git log
. - Use
git rebase -i <commit-sha>~1
to start an interactive rebase. - Mark the offending commits for editing by changing the
pick
command toedit
in the editor. - Remove the secrets from the files.
- Stage the changes with
git add <file-name>
. - Commit the changed files with
git commit --amend
. - Continue the rebase with
git rebase --continue
until all secrets are removed. - Push your changes with
git push
.
Skip secret detection
In some cases, it may be necessary to skip pre-receive secret detection. For example, a developer may need to commit a placeholder secret for testing, or a user may want to bypass secret detection due to a Git operation timeout. To skip secret detection for all commits in a push, add [skip secret detection]
to one of the commit messages. For example:
# These commits are in the same push. Both will not be scanned.
Add real secret by accident
Add placeholder token to test file [skip secret detection]
[skip secret detection]
in one of your commit messages.