diff options
Diffstat (limited to 'doc/push_rules/push_rules.md')
-rw-r--r-- | doc/push_rules/push_rules.md | 148 |
1 files changed, 74 insertions, 74 deletions
diff --git a/doc/push_rules/push_rules.md b/doc/push_rules/push_rules.md index 425275a0370..c37853ffe81 100644 --- a/doc/push_rules/push_rules.md +++ b/doc/push_rules/push_rules.md @@ -14,10 +14,6 @@ GitLab already offers [protected branches](../user/project/protected_branches.md cases when you need some specific rules. Some common scenarios: preventing Git tag removal, or enforcing a special format for commit messages. -INFO: -Get access to push rules and more with a -[free 30-day trial of GitLab Ultimate](https://about.gitlab.com/free-trial/index.html?glm_source=docs.gitlab.com&glm_content=p-push-rules-docs). - Push rules are [pre-receive Git hooks](https://git-scm.com/book/en/v2/Customizing-Git-Git-Hooks) you can enable in a user-friendly interface. They are defined either: @@ -147,76 +143,80 @@ Feature.disable(:reject_unsigned_commits_by_gitlab) > Moved to GitLab Premium in 13.9. -Secrets such as credential files, SSH private keys, and other files containing secrets should never be committed to source control. -GitLab enables you to turn on a predefined denylist of files which can't be -pushed to a repository. The list stops those commits from reaching the remote repository. - -By selecting the checkbox *Prevent committing secrets to Git*, GitLab prevents -pushes to the repository when a file matches a regular expression as read from -[`files_denylist.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/gitlab/checks/files_denylist.yml) (make sure you are at the right branch -as your GitLab version when viewing this file). - -NOTE: -Files already committed aren't restricted by this push rule. - -Below is an example list of what GitLab rejects with these regular expressions: - -```shell -##################### -# AWS CLI credential blobs -##################### -.aws/credentials -aws/credentials -homefolder/aws/credentials - -##################### -# Private RSA SSH keys -##################### -/ssh/id_rsa -/.ssh/personal_rsa -/config/server_rsa -id_rsa -.id_rsa - -##################### -# Private DSA SSH keys -##################### -/ssh/id_dsa -/.ssh/personal_dsa -/config/server_dsa -id_dsa -.id_dsa - -##################### -# Private ed25519 SSH keys -##################### -/ssh/id_ed25519 -/.ssh/personal_ed25519 -/config/server_ed25519 -id_ed25519 -.id_ed25519 - -##################### -# Private ECDSA SSH keys -##################### -/ssh/id_ecdsa -/.ssh/personal_ecdsa -/config/server_ecdsa -id_ecdsa -.id_ecdsa - -##################### -# Any file with .pem or .key extensions -##################### -*.pem -*.key - -##################### -# Any file ending with _history or .history extension -##################### -*.history -*_history -``` +Secrets, such as credential files and SSH private keys, should never be committed to a version control +system. In GitLab, you can use a predefined list of files to block those files from a +repository. Any merge request containing a file matching the list is blocked from being merged. +Files already committed to the repository are not restricted by this push rule. + +Files blocked by this rule are listed below. For a complete list of criteria, see +[`files_denylist.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/gitlab/checks/files_denylist.yml). + +- AWS CLI credential blobs: + + - `.aws/credentials` + - `aws/credentials` + - `homefolder/aws/credentials` + +- Private RSA SSH keys: + + - `/ssh/id_rsa` + - `/.ssh/personal_rsa` + - `/config/server_rsa` + - `id_rsa` + - `.id_rsa` + +- Private DSA SSH keys: + + - `/ssh/id_dsa` + - `/.ssh/personal_dsa` + - `/config/server_dsa` + - `id_dsa` + - `.id_dsa` + +- Private ed25519 SSH keys: + + - `/ssh/id_ed25519` + - `/.ssh/personal_ed25519` + - `/config/server_ed25519` + - `id_ed25519` + - `.id_ed25519` + +- Private ECDSA SSH keys: + + - `/ssh/id_ecdsa` + - `/.ssh/personal_ecdsa` + - `/config/server_ecdsa` + - `id_ecdsa` + - `.id_ecdsa` + +- Any files ending with these suffixes: + + - `*.pem` + - `*.key` + - `*.history` + - `*_history` + +### Prevent pushing secrets to all projects + +To set a global push rule to prevent pushing secrets to all projects: + +1. On the top bar, select **Menu > Admin**. +1. On the left sidebar, select **Push Rules**. +1. Expand **Push rules**. +1. Select **Prevent pushing secret files**. +1. Select **Save push rules**. + +### Prevent pushing secrets to a project + +The push rule of a project overrides the global push rule. + +To prevent pushing secrets to a project: + +1. On the top bar, select **Menu > Projects** and find your project. +1. On the left sidebar, select **Settings > Repository**. +1. Expand **Push rules**. +1. Select **Prevent pushing secret files**. +1. Select **Save push rules**. ## Prohibited file names |