diff --git a/db/docs/ci_runner_namespaces.yml b/db/docs/ci_runner_namespaces.yml index e6d4693e58c..b8450c8e790 100644 --- a/db/docs/ci_runner_namespaces.yml +++ b/db/docs/ci_runner_namespaces.yml @@ -8,3 +8,5 @@ description: Relationships between runners and namespaces for group runners introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/commit/1549239849adf31a078be7503ab2288795e337cf milestone: '10.8' gitlab_schema: gitlab_ci +sharding_key: + namespace_id: namespaces diff --git a/doc/administration/secure_files.md b/doc/administration/secure_files.md index f311f40d9df..b977fcf4bbb 100644 --- a/doc/administration/secure_files.md +++ b/doc/administration/secure_files.md @@ -10,7 +10,6 @@ DETAILS: **Tier:** Free, Premium, Ultimate **Offering:** Self-managed -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78227) in GitLab 14.8 [with a flag](feature_flags.md) named `ci_secure_files`. Disabled by default. > - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/350748) in GitLab 15.7. Feature flag `ci_secure_files` removed. You can securely store up to 100 files for use in CI/CD pipelines as secure files. diff --git a/doc/subscriptions/gitlab_com/index.md b/doc/subscriptions/gitlab_com/index.md index b50f920d891..21c53c52491 100644 --- a/doc/subscriptions/gitlab_com/index.md +++ b/doc/subscriptions/gitlab_com/index.md @@ -143,8 +143,6 @@ For example: ### Export seat usage -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/262877) in GitLab 14.2. - To export seat usage data as a CSV file: 1. On the left sidebar, select **Search or go to** and find your group. @@ -453,8 +451,6 @@ state for all projects is removed, and their excess usage is deducted from the a #### For your group namespace -> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5789) in GitLab 14.6. - If you're using GitLab.com, you can purchase additional storage so your pipelines aren't blocked after you have used all your storage from your main quota. You can find pricing for additional storage on the diff --git a/doc/user/application_security/secret_detection/pipeline/index.md b/doc/user/application_security/secret_detection/pipeline/index.md index 42cc4b470f0..724243b1182 100644 --- a/doc/user/application_security/secret_detection/pipeline/index.md +++ b/doc/user/application_security/secret_detection/pipeline/index.md @@ -96,6 +96,26 @@ can take a long time, especially for larger repositories with lengthy Git histor completing an initial full history scan, use only standard Pipeline Secret Detection as part of your pipeline. +## Advanced vulnerability tracking + +DETAILS: +**Tier:** Ultimate +**Offering:** GitLab.com, Self-managed, GitLab Dedicated + +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/434096) in GitLab 17.0. + +When developers make changes to a file with identified secrets, it's likely that the positions of these secrets will also change. The Secret Detection analyzer may have already flagged these secrets as vulnerabilities, tracked in the [Vulnerability Report](../../vulnerability_report/index.md). These vulnerabilities are associated with specific secrets for easy identification and action. However, if the detected secrets aren't accurately tracked as they shift, managing vulnerabilities becomes challenging, potentially resulting in duplicate vulnerability reports. + +GitLab Secret Detection uses an advanced vulnerability tracking algorithm to more accurately identify when the same secret has moved within a file due to refactoring or unrelated changes. + +For more information, see the confidential project `https://gitlab.com/gitlab-org/security-products/post-analyzers/tracking-calculator`. The content of this project is available only to GitLab team members. + +### Unsupported workflows + +- The algorithm does not support the workflow where the existing finding lacks a tracking signature and does not share the same location as the newly detected finding. +- For certain rule types like Cryptographic Keys, the Secret Detection identifies leaks by matching the prefix of the secret rather than the entire secret value. In this scenario, the algorithm consolidates different secrets of the same rule type in a file into a single finding, rather than treating each distinct secret as a separate finding. For example, the [SSH Private Key rule type](https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/blob/d2919f65f1d8001755015b5d790af620676b97ea/gitleaks.toml#L138) matches only the `-----BEGIN OPENSSH PRIVATE KEY-----` prefix of a value to confirm the presence of a SSH private key. If there are two distinct SSH Private Keys within the same file, the algorithm considers both values as identical and reports only one finding instead of two. +- The algorithm's scope is limited to a per-file basis, meaning that the same secret appearing in two different files is treated as two distinct findings. + ## Configuration ### Requirements diff --git a/spec/lib/gitlab/database/sharding_key_spec.rb b/spec/lib/gitlab/database/sharding_key_spec.rb index fd5f3db211c..303f6703f07 100644 --- a/spec/lib/gitlab/database/sharding_key_spec.rb +++ b/spec/lib/gitlab/database/sharding_key_spec.rb @@ -28,6 +28,7 @@ RSpec.describe 'new tables missing sharding_key', feature_category: :cell do *['boards.project_id', 'boards.group_id'], *['bulk_import_exports.project_id', 'bulk_import_exports.group_id'], 'ci_pipeline_schedules.project_id', + 'ci_runner_namespaces.namespace_id', 'ci_sources_pipelines.project_id', 'ci_triggers.project_id', 'gpg_signatures.project_id',