From e5b10f3c044a8992907f2dcc598123d798be9c7e Mon Sep 17 00:00:00 2001
From: Serena Fang <sfang@gitlab.com>
Date: Mon, 15 Apr 2024 11:01:51 +0000
Subject: [PATCH] Add skip secret detection audit event

WIP, need MR id

Changelog: added
EE: true
---
 doc/administration/audit_event_types.md       |  6 ++++++
 ee/app/models/ee/application_setting.rb       |  3 ++-
 .../skip_pre_receive_secret_detection.yml     | 10 ++++++++++
 ee/lib/gitlab/checks/secrets_check.rb         | 19 ++++++++++++++++++-
 .../gitlab/secrets_check_shared_examples.rb   |  5 +++++
 locale/gitlab.pot                             |  6 ++++++
 6 files changed, 47 insertions(+), 2 deletions(-)
 create mode 100644 ee/config/audit_events/types/skip_pre_receive_secret_detection.yml

diff --git a/doc/administration/audit_event_types.md b/doc/administration/audit_event_types.md
index 063413407a113..e40fa7f619f82 100644
--- a/doc/administration/audit_event_types.md
+++ b/doc/administration/audit_event_types.md
@@ -390,6 +390,12 @@ Audit event types belong to the following product categories.
 |:------------|:------------|:------------------|:---------|:--------------|:--------------|
 | [`set_runner_associated_projects`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/97666) | Event triggered on successful assignment of associated projects to a CI runner| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.4](https://gitlab.com/gitlab-org/gitlab/-/issues/359958) | User |
 
+### Secret detection
+
+| Name | Description | Saved to database | Streamed | Introduced in | Scope |
+|:------------|:------------|:------------------|:---------|:--------------|:--------------|
+| [`skip_pre_receive_secret_detection`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147855) | Triggered when pre-receive secret detection is skipped by the user| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.11](https://gitlab.com/gitlab-org/gitlab/-/issues/441185) | Project |
+
 ### Security policy management
 
 | Name | Description | Saved to database | Streamed | Introduced in | Scope |
diff --git a/ee/app/models/ee/application_setting.rb b/ee/app/models/ee/application_setting.rb
index 7977f148868fe..0f56716e73930 100644
--- a/ee/app/models/ee/application_setting.rb
+++ b/ee/app/models/ee/application_setting.rb
@@ -186,7 +186,8 @@ module ApplicationSetting
         if: :email_confirmation_setting_soft?
 
       validates :pre_receive_secret_detection_enabled,
-        inclusion: { in: [true, false], message: N_('must be a boolean value') }
+        inclusion: { in: [true, false], message: N_('must be a boolean value') },
+        if: :gitlab_dedicated_instance
 
       validates :instance_level_ai_beta_features_enabled,
         allow_nil: false,
diff --git a/ee/config/audit_events/types/skip_pre_receive_secret_detection.yml b/ee/config/audit_events/types/skip_pre_receive_secret_detection.yml
new file mode 100644
index 0000000000000..832cf96a4a8cf
--- /dev/null
+++ b/ee/config/audit_events/types/skip_pre_receive_secret_detection.yml
@@ -0,0 +1,10 @@
+---
+name: skip_pre_receive_secret_detection
+description: Triggered when pre-receive secret detection is skipped by the user
+introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/441185
+introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147855
+feature_category: secret_detection
+milestone: '16.11'
+saved_to_database: true
+streamed: true
+scope: [Project]
diff --git a/ee/lib/gitlab/checks/secrets_check.rb b/ee/lib/gitlab/checks/secrets_check.rb
index aca17149d6164..d2eb292e6deb0 100644
--- a/ee/lib/gitlab/checks/secrets_check.rb
+++ b/ee/lib/gitlab/checks/secrets_check.rb
@@ -48,7 +48,10 @@ def validate!
         return unless project.licensed_feature_available?(:pre_receive_secret_detection)
 
         # Skip if any commit has the special bypass flag `[skip secret detection]`
-        return if skip_secret_detection?
+        if skip_secret_detection?
+          log_audit_event(_("commit message"))
+          return
+        end
 
         logger.log_timed(LOG_MESSAGES[:secrets_check]) do
           blobs = ::Gitlab::Checks::ChangedBlobs.new(
@@ -83,6 +86,20 @@ def secret_detection_logger
         @secret_detection_logger ||= ::Gitlab::SecretDetectionLogger.build
       end
 
+      def log_audit_event(skip_method)
+        message = "#{_('Pre-receive secret detection skipped via')} #{skip_method}"
+
+        audit_context = {
+          name: "skip_pre_receive_secret_detection",
+          author: changes_access.user_access.user,
+          target: project,
+          scope: project,
+          message: message
+        }
+
+        ::Gitlab::Audit::Auditor.audit(audit_context)
+      end
+
       def format_response(response)
         # Try to retrieve file path and commit sha for the blobs found.
         if [
diff --git a/ee/spec/support/shared_examples/lib/gitlab/secrets_check_shared_examples.rb b/ee/spec/support/shared_examples/lib/gitlab/secrets_check_shared_examples.rb
index 8ea908f3aa8e2..36dafb1c008fa 100644
--- a/ee/spec/support/shared_examples/lib/gitlab/secrets_check_shared_examples.rb
+++ b/ee/spec/support/shared_examples/lib/gitlab/secrets_check_shared_examples.rb
@@ -1009,4 +1009,9 @@
       expect { subject.validate! }.not_to raise_error
     end
   end
+
+  it 'creates an audit event' do
+    expect { subject.validate! }.to change { AuditEvent.count }.by(1)
+    expect(AuditEvent.last.details[:custom_message]).to eq("Pre-receive secret detection skipped via commit message")
+  end
 end
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 14a53a192e3ca..cbe9612a67e37 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -38262,6 +38262,9 @@ msgstr ""
 msgid "Pre-defined push rules"
 msgstr ""
 
+msgid "Pre-receive secret detection skipped via"
+msgstr ""
+
 msgid "PreScanVerification|(optional)"
 msgstr ""
 
@@ -60388,6 +60391,9 @@ msgstr[1] ""
 msgid "commit %{commit_id}"
 msgstr ""
 
+msgid "commit message"
+msgstr ""
+
 msgid "committed"
 msgstr ""
 
-- 
GitLab