fix: limit security reports access to developer role or higher (3d4335fd) · Commits · to be continuous... / Node.js

README.md

+3 −3

Original line number	Diff line number	Diff line
		@@ -343,7 +343,7 @@ It is bound to the `test` stage.
		\| `audit-disabled` / `NODE_AUDIT_DISABLED` \| Set to `true` to disable npm audit \| _none_ (enabled) \|
		\| `audit-args` / `NODE_AUDIT_ARGS` \| npm [audit](https://docs.npmjs.com/cli/v8/commands/npm-audit) arguments <br/> yarn [audit](https://classic.yarnpkg.com/en/docs/cli/audit) arguments <br/> pnpm [audit](https://pnpm.io/cli/audit) arguments \| `--audit-level=low` \|

		In addition to a textual report in the console, this job produces the following report, kept for one day:
		In addition to a textual report in the console, this job produces the following report, kept for one day and only available for download by users with the Developer role or higher:

		\| Report \| Format \| Usage \|
		\| ------------------------------------------------- \| ------------------------------------------------------------- \| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- \|
		@@ -360,7 +360,7 @@ It is bound to the `test` stage.
		\| `outdated-disabled` / `NODE_OUTDATED_DISABLED` \| Set to `true` to disable npm outdated \| _none_ (enabled) \|
		\| `outdated-args` / `NODE_OUTDATED_ARGS` \| npm [outdated](https://docs.npmjs.com/cli/v8/commands/npm-outdated) arguments <br/> yarn [outdated](https://classic.yarnpkg.com/lang/en/docs/cli/outdated/) arguments <br/> pnpm [outdated](https://pnpm.io/cli/outdated) arguments \| `--long` \|

		The job generates an outdated report that you will find here: `NODE_PROJECT_DIR/reports/npm-outdated-report.json`.
		The job generates an outdated report that you will find here: `NODE_PROJECT_DIR/reports/npm-outdated-report.json`. This report is only available for download by users with the Developer role or higher

		### `node-semgrep` job

		@@ -384,7 +384,7 @@ It is bound to the `test` stage, and uses the following variables:
		> - the `--metrics` option is set to `off`,
		> - the `--disable-version-check` option is set.

		In addition to a textual report in the console, this job produces the following reports, kept for one week:
		In addition to a textual report in the console, this job produces the following reports, kept for one week and only available for download by users with the Developer role or higher:

		\| Report \| Format \| Usage \|
		\| ---------------------------------------------------- \| -------------------------------------------------------------------------------------------- \| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- \|

templates/gitlab-ci-node.yml

+3 −0

Original line number	Diff line number	Diff line
		@@ -731,6 +731,7 @@ node-audit:
		paths:
		- $NODE_PROJECT_DIR/reports/npm-audit.*
		expire_in: 1 day
		access: developer
		rules:
		# exclude if $NODE_AUDIT_DISABLED set
		- if: '$NODE_AUDIT_DISABLED == "true"'
		@@ -755,6 +756,7 @@ node-outdated:
		paths:
		- $NODE_PROJECT_DIR/reports/npm-outdated.*
		expire_in: 1 day
		access: developer
		rules:
		# exclude if $NODE_OUTDATED_DISABLED set
		- if: $NODE_OUTDATED_DISABLED == "true"
		@@ -788,6 +790,7 @@ node-semgrep:
		name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
		when: always
		expire_in: 1 week
		access: developer
		reports:
		sast: $NODE_PROJECT_DIR/reports/node-semgrep.gitlab.json
		paths: