Secrets Detection in Gitlab does not fail my job

Question

In gitlab, I'm trying to enable secret detection, I got it to detect vulnerabilities, but it does not fail the job.

this is my ".gitlab-ci.yml" file:

include:
  - template: Security/Secret-Detection.gitlab-ci.yml

stages: 
  - test

secret_detection:
  tags:
    - secret
  artifacts:
    reports:
      secret_detection: gl-secret-detection-report.json
  variables:
    SECRET_DETECTION_HISTORIC_SCAN: "true"

a part of the log (gl-secret-detection-report.json):

      "category": "secret_detection",
      "name": "Stripe",
      "message": "Stripe detected; please remove and revoke it if this is a leak.",
      "severity": "Critical",
      "confidence": "Unknown",
      "raw_source_code_extract": "pk_test_TYooMQauvdEDq54NiTphI7jx",
      "scanner": {
        "id": "gitleaks",
        "name": "Gitleaks"

but:

running on GitLab Enterprise Edition 14.0.0-ee, Starter plan

how do I get this job to fail on merge requst if it finds something on scan?

Answer 1

I was searching for the answer to this as well and it is (insanely to me) apparently by design, at least on free/premium tiers. I did not understand why the job succeeded when it detected a secret.

Here are some workarounds:

Fail the pipeline if Secret Detection finds vulnerabilities

GitLab Secret Detection which fails when vulnerabilities were found