Merge branch 'secret-detection-audit-events' into 'master'

Add pre-receive secret detection audit events See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147855 Merged-by: Sashi Kumar Kumaresan <skumar@gitlab.com> Approved-by: Ian Anderson <ianderson@gitlab.com> Approved-by: Sashi Kumar Kumaresan <skumar@gitlab.com> Reviewed-by: Ian Anderson <ianderson@gitlab.com> Co-authored-by: Serena Fang <sfang@gitlab.com>

Merge branch 'secret-detection-audit-events' into 'master'
bf77de51 · Sashi Kumar Kumaresan · GitLab · 8edacf6e · e5b10f3c · bf77de51
--- a/doc/administration/audit_event_types.md
+++ b/doc/administration/audit_event_types.md
@@ -390,6 +390,12 @@ Audit event types belong to the following product categories.
 |:------------|:------------|:------------------|:---------|:--------------|:--------------|
 | [`set_runner_associated_projects`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/97666) | Event triggered on successful assignment of associated projects to a CI runner| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.4](https://gitlab.com/gitlab-org/gitlab/-/issues/359958) | User |

+### Secret detection
+
+| Name | Description | Saved to database | Streamed | Introduced in | Scope |
+|:------------|:------------|:------------------|:---------|:--------------|:--------------|
+| [`skip_pre_receive_secret_detection`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147855) | Triggered when pre-receive secret detection is skipped by the user| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.11](https://gitlab.com/gitlab-org/gitlab/-/issues/441185) | Project |
+
 ### Security policy management

 | Name | Description | Saved to database | Streamed | Introduced in | Scope |

--- a/ee/app/models/ee/application_setting.rb
+++ b/ee/app/models/ee/application_setting.rb
@@ -186,7 +186,8 @@ module ApplicationSetting
        if: :email_confirmation_setting_soft?

      validates :pre_receive_secret_detection_enabled,
-        inclusion: { in: [true, false], message: N_('must be a boolean value') }
+        inclusion: { in: [true, false], message: N_('must be a boolean value') },
+        if: :gitlab_dedicated_instance

      validates :instance_level_ai_beta_features_enabled,
        allow_nil: false,

--- a/ee/config/audit_events/types/skip_pre_receive_secret_detection.yml
+++ b/ee/config/audit_events/types/skip_pre_receive_secret_detection.yml
+---
+name: skip_pre_receive_secret_detection
+description: Triggered when pre-receive secret detection is skipped by the user
+introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/441185
+introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147855
+feature_category: secret_detection
+milestone: '16.11'
+saved_to_database: true
+streamed: true
+scope: [Project]
--- a/ee/lib/gitlab/checks/secrets_check.rb
+++ b/ee/lib/gitlab/checks/secrets_check.rb
@@ -48,7 +48,10 @@ def validate!
        return unless project.licensed_feature_available?(:pre_receive_secret_detection)

        # Skip if any commit has the special bypass flag `[skip secret detection]`
-        return if skip_secret_detection?
+        if skip_secret_detection?
+          log_audit_event(_("commit message"))
+          return
+        end

        logger.log_timed(LOG_MESSAGES[:secrets_check]) do
          blobs = ::Gitlab::Checks::ChangedBlobs.new(
@@ -83,6 +86,20 @@ def secret_detection_logger
        @secret_detection_logger ||= ::Gitlab::SecretDetectionLogger.build
      end

+      def log_audit_event(skip_method)
+        message = "#{_('Pre-receive secret detection skipped via')} #{skip_method}"
+
+        audit_context = {
+          name: "skip_pre_receive_secret_detection",
+          author: changes_access.user_access.user,
+          target: project,
+          scope: project,
+          message: message
+        }
+
+        ::Gitlab::Audit::Auditor.audit(audit_context)
+      end
+
      def format_response(response)
        # Try to retrieve file path and commit sha for the blobs found.
        if [

--- a/ee/spec/support/shared_examples/lib/gitlab/secrets_check_shared_examples.rb
+++ b/ee/spec/support/shared_examples/lib/gitlab/secrets_check_shared_examples.rb
@@ -1009,4 +1009,9 @@
      expect { subject.validate! }.not_to raise_error
    end
  end
+
+  it 'creates an audit event' do
+    expect { subject.validate! }.to change { AuditEvent.count }.by(1)
+    expect(AuditEvent.last.details[:custom_message]).to eq("Pre-receive secret detection skipped via commit message")
+  end
 end
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -38265,6 +38265,9 @@ msgstr ""
 msgid "Pre-defined push rules"
 msgstr ""
  
+msgid "Pre-receive secret detection skipped via"
+msgstr ""
+
 msgid "PreScanVerification|(optional)"
 msgstr ""
  
@@ -60391,6 +60394,9 @@ msgstr[1] ""
 msgid "commit %{commit_id}"
 msgstr ""
  
+msgid "commit message"
+msgstr ""
+
 msgid "committed"
 msgstr ""