Add secrets detection

.secretsignore

+# This file is for defining paths and secrets that will be ignored by ripsecret
+
+doc/*
+spec/*
+ee/spec/*
+qa/*
+*_spec.rb
+config/gitlab.yml.example
+workhorse/testdata/localhost.key
+db/fixtures/**/*.rb
+
+[secrets]
+AUTO_DEVOPS_DOMAIN
+BACKWARD_DIRECTION
+CI_BUILD_BEFORE_SHA
+CI_BUILD_REF_NAME
+CI_BUILD_REF_SLUG
+CI_COMMIT_BRANCH
+CI_COMMIT_REF_SLUG
+CI_DEFAULT_BRANCH
+CI_DEPLOY_FREEZE
+CI_DEPLOY_PASSWORD
+CI_ENVIRONMENT_SLUG
+CI_ENVIRONMENT_URL
+CI_GITLAB_FIPS_MODE
+CI_JOB_NAME_SLUG
+CI_JOB_STARTED_AT
+CI_PAGES_DOMAIN
+CI_PROJECT_NAME
+CI_PROJECT_PATH
+CI_PROJECT_PATH_SLUG
+CI_PROJECT_VISIBILITY
+CI_REGISTRY_IMAGE
+CI_REGISTRY_PASSWORD
+CI_REPOSITORY_URL
+CROWDIN_API_KEY
+DAST_API_PROFILE
+DAST_PASSWORD_BASE64
+DAST_SUBMIT_FIELD
+DAST_USERNAME_FIELD
+DORA_METRICS_KEYS
+ESCALATION_STATUS
+FIFTY_PACKAGE_FILES
+FORTY_PACKAGE_FILES
+FORWARD_DIRECTION
+GITLAB_FEATURES
+GITLAB_USER_EMAIL
+GITLAB_USER_LOGIN
+GITLAB_USER_NAME
+HARBOR_PASSWORD
+HARBOR_USERNAME
+KUBE_CA_PEM_FILE
+KUBE_SERVICE_ACCOUNT
+NAVSOURCE_VALUE
+ONE_HUNDRED_TAGS
+ONE_PACKAGE_FILE
+STAGING_ENABLED
+TEN_PACKAGE_FILES
+THIRTY_PACKAGE_FILES
+TRIGGER_PAYLOAD
+TWENTY_FIVE_TAGS
+TWENTY_PACKAGE_FILES
+YOUR-ACCESSKEYID
+YOUR-CLIENT-SECRET
+YOUR_AUTH0_CLIENT_SECRET
+sbdMsxcgW2Xs75Q2uHc9FhUCZSEV3fSg

lefthook.yml

@@ -79,3 +79,7 @@ pre-push:
       files: git diff --name-only --diff-filter=d $(git merge-base origin/master HEAD)..HEAD
       glob: 'data/removals/*.yml'
       run: echo "Changes to removals files detected. Checking removals..\n"; bundle exec rake gitlab:docs:check_removals
+    secrets-detection:
+      tags: secrets
+      files: git diff --name-only --diff-filter=d $(git merge-base origin/master HEAD)..HEAD
+      run: 'if command -v ripsecrets > /dev/null 2>&1; then ripsecrets --strict-ignore {files}; else echo "WARNING: ripsecrets is not installed. Please install it."; fi'