Commit 40c85eff authored by Bertrand Goareguer's avatar Bertrand Goareguer
Browse files

fix: limit security reports access to developer role or higher

parent 078f9541

README.md

+2 −2
Original line number Diff line number Diff line
@@ -228,7 +228,7 @@ It is bound to the `test` stage, and uses the following variables: 
| `bandit-enabled` / `BANDIT_ENABLED` | Set to `true` to enable Bandit analysis                                | _none_ (disabled) |

| `bandit-args` / `BANDIT_ARGS`    | Additional [Bandit CLI options](https://github.com/PyCQA/bandit#usage) | `--recursive .`   |



In addition to a textual report in the console, this job produces the following reports, kept for one day:

In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:



| Report         | Format                                                                       | Usage             |

| -------------- | ---------------------------------------------------------------------------- | ----------------- |
@@ -249,7 +249,7 @@ It is bound to the `test` stage, and uses the following variables: 
| `trivy-dist-url` / `PYTHON_TRIVY_DIST_URL` | Url to the `tar.gz` package for `linux_amd64` of Trivy to use (ex: `https://github.com/aquasecurity/trivy/releases/download/v0.51.1/trivy_0.51.1_Linux-64bit.tar.gz`)<br/>_When unset, the latest version will be used_ | _none_ |

| `trivy-args` / `PYTHON_TRIVY_ARGS`       | Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_filesystem/) | `--ignore-unfixed --pkg-types library --detection-priority comprehensive`   |



In addition to a textual report in the console, this job produces the following reports, kept for one day:

In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:



| Report         | Format                                                                       | Usage             |

| -------------- | ---------------------------------------------------------------------------- | ----------------- |

templates/gitlab-ci-python.yml

+2 −0
Original line number Diff line number Diff line
@@ -1234,6 +1234,7 @@ py-bandit: 
    when: always

    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    expire_in: 1 day

    access: developer

    paths:

      - "$PYTHON_PROJECT_DIR/reports/py-bandit.*"

  rules:
@@ -1310,6 +1311,7 @@ py-trivy: 
  artifacts:

    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    expire_in: 1 day

    access: developer

    when: always

    paths:

      - "$PYTHON_PROJECT_DIR/reports/py-trivy.*"