Commit 45f4ee63 authored by Bertrand Goareguer's avatar Bertrand Goareguer
Browse files

fix: limit security reports access to developer role or higher

parent 0f04542c

README.md

+3 −3
Original line number Diff line number Diff line
@@ -501,7 +501,7 @@ In addition to a textual report in the console, this job produces the following 
| `tfsec-enabled` / `TF_TFSEC_ENABLED` | Set to `true` to enable tfsec            | _none_ (disabled) |

| `tfsec-args` / `TF_TFSEC_ARGS` | tfsec [options and args](https://aquasecurity.github.io/tfsec/latest/guides/usage/) | `.` |



In addition to a textual report in the console, this job produces the following reports, kept for one day:

In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:



| Report         | Format                                                                       | Usage             |

| -------------- | ---------------------------------------------------------------------------- | ----------------- |
@@ -518,7 +518,7 @@ In addition to a textual report in the console, this job produces the following 
| `trivy-disabled` / `TF_TRIVY_DISABLED` | Set to `true` to disable trivy            | _none_ (enabled) |

| `trivy-args` / `TF_TRIVY_ARGS` | trivy config [options and args](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_config/) | `.` |



In addition to a textual report in the console, this job produces the following reports, kept for one day:

In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:



| Report         | Format                                                                       | Usage             |

| -------------- | ---------------------------------------------------------------------------- | ----------------- |
@@ -540,7 +540,7 @@ In addition to a textual report in the console, this job produces the following 
Command line arguments for `checkov` are the result of the concatenation of `--directory .` and  `$TF_CHECKOV_ARGS`.

As a consequence additional `--directory` or `--file` arguments will be ignored.



In addition to a textual report in the console, this job produces the following reports, kept for one day:

In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:



| Report         | Format                                                                       | Usage             |

| -------------- | ---------------------------------------------------------------------------- | ----------------- |

templates/gitlab-ci-terraform.yml

+4 −0
Original line number Diff line number Diff line
@@ -1055,6 +1055,7 @@ stages: 
  artifacts:

    name: "Terraform plan for $ENV_TYPE from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    expire_in: 1 day

    access: developer

    paths:

      - $TF_PROJECT_DIR/${ENV_TYPE}.tfplan

    reports:
@@ -1091,6 +1092,7 @@ tf-tfsec: 
  artifacts:

    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    expire_in: 1 day

    access: developer

    reports:

      junit: $TF_PROJECT_DIR/reports/tfsec.xunit.xml

    paths:
@@ -1121,6 +1123,7 @@ tf-trivy: 
  artifacts:

    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    expire_in: 1 day

    access: developer

    when: always

    reports:

      codequality: $TF_PROJECT_DIR/reports/tf-trivy.codeclimate.json
@@ -1177,6 +1180,7 @@ tf-checkov: 
  artifacts:

    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    expire_in: 1 day

    access: developer

    reports:

      junit: $TF_PROJECT_DIR/reports/checkov.xunit.xml

    paths: