fix: limit security reports access to developer role or higher

29a3173e · Bertrand Goareguer · 0773bdd9 · 29a3173e · 29a3173e
Commit 29a3173e authored 9 months ago by Bertrand Goareguer
--- a/README.md
+++ b/README.md
@@ -284,7 +284,7 @@ FROM ubuntu
 RUN cd /tmp && echo "hello!"
 ```

-In addition to a textual report in the console, this job produces the following reports, kept for one day:
+In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:

 | Report                                       | Format                               | Usage                                                                                                                                                                          |
 | -------------------------------------------- | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
@@ -420,7 +420,7 @@ It is bound to the `package-test` stage, and uses the following variables:
 | `trivy-db-repository` / `DOCKER_TRIVY_DB_REPOSITORY`                       | OCI repository to retrieve Trivy Database from                                                                         | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-db`)          |
 | `trivy-java-db-repository` / `DOCKER_TRIVY_JAVA_DB_REPOSITORY`             | OCI repository to retrieve Trivy Java Database from                                                                    | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-java-db:1`)\_ |

-In addition to a textual report in the console, this job produces the following reports, kept for one day:
+In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:

 | Report                               | Format                                                                                                             | Usage                                                                                                                                                                       |
 | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -775,6 +775,7 @@ docker-hadolint:
  artifacts:
    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
    expire_in: 1 day
+    access: developer
    when: always
    reports:
      codequality:
@@ -1007,6 +1008,7 @@ docker-trivy:
  artifacts:
    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
    expire_in: 1 day
+    access: developer
    when: always
    paths:
    - "reports/docker-trivy-*"