From 3d4335fd9d46070720de57cda656c2570dd9efa2 Mon Sep 17 00:00:00 2001
From: Bertrand Goareguer <bertrand.goareguer@gmail.com>
Date: Thu, 24 Oct 2024 14:29:35 +0000
Subject: [PATCH] fix: limit security reports access to developer role or
 higher

---
 README.md                    | 6 +++---
 templates/gitlab-ci-node.yml | 3 +++
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 5fa19f5..bac6d01 100644
--- a/README.md
+++ b/README.md
@@ -343,7 +343,7 @@ It is bound to the `test` stage.
 | `audit-disabled` / `NODE_AUDIT_DISABLED` | Set to `true` to disable npm audit                                                                                                                                                                          | _none_ (enabled)    |
 | `audit-args` / `NODE_AUDIT_ARGS`         | npm [audit](https://docs.npmjs.com/cli/v8/commands/npm-audit) arguments <br/> yarn [audit](https://classic.yarnpkg.com/en/docs/cli/audit) arguments <br/> pnpm [audit](https://pnpm.io/cli/audit) arguments | `--audit-level=low` |
 
-In addition to a textual report in the console, this job produces the following report, kept for one day:
+In addition to a textual report in the console, this job produces the following report, kept for one day and only available for download by users with the Developer role or higher:
 
 | Report                                            | Format                                                        | Usage                                                                                                                                                                                                                                  |
 | ------------------------------------------------- | ------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -360,7 +360,7 @@ It is bound to the `test` stage.
 | `outdated-disabled` / `NODE_OUTDATED_DISABLED` | Set to `true` to disable npm outdated                                                                                                                                                                                               | _none_ (enabled) |
 | `outdated-args` / `NODE_OUTDATED_ARGS`         | npm [outdated](https://docs.npmjs.com/cli/v8/commands/npm-outdated) arguments <br/> yarn [outdated](https://classic.yarnpkg.com/lang/en/docs/cli/outdated/) arguments <br/> pnpm [outdated](https://pnpm.io/cli/outdated) arguments | `--long`         |
 
-The job generates an outdated report that you will find here: `NODE_PROJECT_DIR/reports/npm-outdated-report.json`.
+The job generates an outdated report that you will find here: `NODE_PROJECT_DIR/reports/npm-outdated-report.json`. This report is only available for download by users with the Developer role or higher
 
 ### `node-semgrep` job
 
@@ -384,7 +384,7 @@ It is bound to the `test` stage, and uses the following variables:
 > - the `--metrics` option is set to `off`,
 > - the `--disable-version-check` option is set.
 
-In addition to a textual report in the console, this job produces the following reports, kept for one week:
+In addition to a textual report in the console, this job produces the following reports, kept for one week and only available for download by users with the Developer role or higher:
 
 | Report                                               | Format                                                                                       | Usage                                                                                                                                                                   |
 | ---------------------------------------------------- | -------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
diff --git a/templates/gitlab-ci-node.yml b/templates/gitlab-ci-node.yml
index 41eeade..1d2cbb6 100644
--- a/templates/gitlab-ci-node.yml
+++ b/templates/gitlab-ci-node.yml
@@ -731,6 +731,7 @@ node-audit:
     paths:
       - $NODE_PROJECT_DIR/reports/npm-audit.*
     expire_in: 1 day
+    access: developer
   rules:
     # exclude if $NODE_AUDIT_DISABLED set
     - if: '$NODE_AUDIT_DISABLED == "true"'
@@ -755,6 +756,7 @@ node-outdated:
     paths:
       - $NODE_PROJECT_DIR/reports/npm-outdated.*
     expire_in: 1 day
+    access: developer
   rules:
     # exclude if $NODE_OUTDATED_DISABLED set
     - if: $NODE_OUTDATED_DISABLED == "true"
@@ -788,6 +790,7 @@ node-semgrep:
     name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
     when: always
     expire_in: 1 week
+    access: developer
     reports:
       sast: $NODE_PROJECT_DIR/reports/node-semgrep.gitlab.json
     paths:
-- 
GitLab