Merge remote-tracking branch 'upstream/master'

# Conflicts: # CHANGELOG.md # README.md

Merge remote-tracking branch 'upstream/master'
fab1adca · Benguria Elguezabal, Gorka · 1fa08bef · 2fdfb7ee · fab1adca · fab1adca
Commit fab1adca authored 4 months ago by Benguria Elguezabal, Gorka
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
-## [4.0.1](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/node/compare/4.0.0...4.0.1) (2024-09-18)
+## [4.1.1](https://gitlab.com/to-be-continuous/node/compare/4.1.0...4.1.1) (2024-12-05)


 ### Bug Fixes

-* set node-publish default registry ([fd0f04d](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/node/commit/fd0f04d730e7b844dd6f57a77b21d913b16dd1c9))
+* semgrep subdir ([8ac460c](https://gitlab.com/to-be-continuous/node/commit/8ac460c05668590b7713f05fc571fc7b3fe2f4b4))
+
+# [4.1.0](https://gitlab.com/to-be-continuous/node/compare/4.0.3...4.1.0) (2024-11-23)
+
+
+### Features
+
+* **lint:** enforce GitLab integration ([44cc3c3](https://gitlab.com/to-be-continuous/node/commit/44cc3c30b1211f35c428edfc5e4165aaae086fbc))
+
+## [4.0.3](https://gitlab.com/to-be-continuous/node/compare/4.0.2...4.0.3) (2024-11-02)
+
+
+### Bug Fixes
+
+* limit security reports access to developer role or higher ([3d4335f](https://gitlab.com/to-be-continuous/node/commit/3d4335fd9d46070720de57cda656c2570dd9efa2))
+
+## [4.0.2](https://gitlab.com/to-be-continuous/node/compare/4.0.1...4.0.2) (2024-10-04)
+
+
+### Bug Fixes
+
+* **release:** support full semantic-versioning specifcation (with prerelease and build metadata) ([b031dae](https://gitlab.com/to-be-continuous/node/commit/b031dae19ccf2cd4f31066ff052efd2d8b1c7aef))

 ## [4.0.1](https://gitlab.com/to-be-continuous/node/compare/4.0.0...4.0.1) (2024-09-08)


--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ Add the following to your `.gitlab-ci.yml`:
 ```yaml
 include:
  # 1: include the component
-  - component: $CI_SERVER_FQDN/to-be-continuous/node/gitlab-ci-node@4.0.1
+  - component: $CI_SERVER_FQDN/to-be-continuous/node/gitlab-ci-node@4.1.1
    # 2: set/override component inputs
    inputs:
      image: "registry.hub.docker.com/library/node:20" # ⚠ this is only an example
@@ -31,7 +31,7 @@ Add the following to your `.gitlab-ci.yml`:
 include:
  # 1: include the template
  - project: "to-be-continuous/node"
-    ref: "4.0.0"
+    ref: "4.1.1"
    file: "/templates/gitlab-ci-node.yml"

 variables:
@@ -90,7 +90,8 @@ variables:

 ### `node-lint` job

-The Node template features a job `node-lint` that performs Node.js source code **lint**. This job is **disabled by default**. It can be activated by setting `NODE_LINT_ENABLED`
+The Node template features a `node-lint` job that performs a code analysis with [ESLint](https://eslint.org/).
+This job is **disabled by default**. It can be activated by setting `NODE_LINT_ENABLED`.

 It is bound to the `build` stage, and uses the following variable:

@@ -100,7 +101,18 @@ It is bound to the `build` stage, and uses the following variable:
 | `lint-args` / `NODE_LINT_ARGS`       | npm [run script](https://docs.npmjs.com/cli/v8/commands/npm-run-script) arguments to execute the lint analysis <br/> yarn [run script](https://classic.yarnpkg.com/en/docs/cli/run) arguments to execute the lint analysis <br/> pnpm [run script](https://pnpm.io/cli/run) arguments to execute the lint analysis | `run lint`        |
 | `node-lint-job-tags` / `NODE_LINT_JOB_TAGS` | Tags to be used for selecting runners for the job | [] |

-The job generates a lint report that you will find here: `NODE_PROJECT_DIR/reports/node-lint.xslint.json`.
+In addition to a textual report in the console, this job produces the following reports, kept for one day:
+
+| Report                                                | Format                                                   | Usage                                                                                                       |
+|-------------------------------------------------------|----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------|
+| `$NODE_PROJECT_DIR/reports/node-lint.gitlab.json` | [GitLab](https://docs.gitlab.com/ee/ci/testing/code_quality.html#eslint) | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscodequality) |
+| `$NODE_PROJECT_DIR/reports/node-lint.xslint.json` | JSON ESLint                                               | [SonarQube integration](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/importing-external-issues/external-analyzer-reports/)                        |
+
+
+
+| Report                                            | Format                                                        | Usage                                                                                                                                                                                                                                  |
+| ------------------------------------------------- | ------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `$NODE_PROJECT_DIR/reports/npm-audit.native.json` | [JSON](https://docs.npmjs.com/cli/v9/commands/npm-audit#json) | [DefectDojo integration](https://docs.defectdojo.com/en/connecting_your_tools/parsers/file/npm_audit_7_plus/)<br/>_This report is generated only if DefectDojo template is detected, if needed, you can force it with `$DEFECTDOJO_NPMAUDIT_REPORTS`_ |

 ### `node-build` job

@@ -135,8 +147,8 @@ Here is the required configuration if you're using [Jest](https://jestjs.io/) as
 | [jest-junit](https://github.com/jest-community/jest-junit)                                   | Yes                 | `reports/node-test.xunit.xml`    | [GitLab unit tests integration](https://docs.gitlab.com/ee/ci/testing/unit_test_reports.html) _(JUnit format)_                                                     |
 | istanbul [text](https://istanbul.js.org/docs/advanced/alternative-reporters/#text)           | No                  | N/A _(stdout)_                   | [GitLab MR test coverage results](https://docs.gitlab.com/ee/ci/pipelines/settings.html#merge-request-test-coverage-results) _(GitLab grabs coverage from stdout)_ |
 | istanbul [cobertura](https://istanbul.js.org/docs/advanced/alternative-reporters/#cobertura) | No                  | `reports/cobertura-coverage.xml` | [GitLab code coverage integration](https://docs.gitlab.com/ee/ci/testing/test_coverage_visualization.html) _(Cobertura format)_                                    |
-| [jest-sonar](https://github.com/sh33dafi/jest-sonar)                                         | Yes                 | `reports/node-test.sonar.xml`    | [SonarQube unit tests integration](https://docs.sonarqube.org/latest/analysis/generic-test/) _(generic SonarQube format)_                                          |
-| istanbul [lcovonly](https://istanbul.js.org/docs/advanced/alternative-reporters/#lcovonly)   | No                  | `reports/lcov.info`              | [SonarQube code coverage integration](https://docs.sonarqube.org/latest/analysis/test-coverage/javascript-typescript-test-coverage/) _(JS/TS LCOV format)_         |
+| [jest-sonar](https://github.com/sh33dafi/jest-sonar)                                         | Yes                 | `reports/node-test.sonar.xml`    | [SonarQube unit tests integration](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/test-coverage/generic-test-data/#generic-test-coverage) _(generic SonarQube format)_                                          |
+| istanbul [lcovonly](https://istanbul.js.org/docs/advanced/alternative-reporters/#lcovonly)   | No                  | `reports/lcov.info`              | [SonarQube code coverage integration](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/test-coverage/javascript-typescript-test-coverage/) _(JS/TS LCOV format)_         |

 Here is an example of a `jest.config.js` configuration file with all the above reporters configured as expected:

@@ -182,8 +194,8 @@ Here is the required configuration if you're using [Mocha](https://mochajs.org/)
 | [mocha-junit-reporter](https://github.com/michaelleeallen/mocha-junit-reporter)              | Yes                    | `reports/node-test.xunit.xml`    | [GitLab unit tests integration](https://docs.gitlab.com/ee/ci/testing/unit_test_reports.html) _(JUnit format)_                                                     |
 | istanbul [text](https://istanbul.js.org/docs/advanced/alternative-reporters/#text)           | Yes (in `nyc` package) | N/A _(stdout)_                   | [GitLab MR test coverage results](https://docs.gitlab.com/ee/ci/pipelines/settings.html#merge-request-test-coverage-results) _(GitLab grabs coverage from stdout)_ |
 | istanbul [cobertura](https://istanbul.js.org/docs/advanced/alternative-reporters/#cobertura) | Yes (in `nyc` package) | `reports/cobertura-coverage.xml` | [GitLab code coverage integration](https://docs.gitlab.com/ee/ci/testing/test_coverage_visualization.html) _(Cobertura format)_                                    |
-| [mocha-sonarqube-reporter](https://github.com/mmouterde/mocha-sonarqube-reporter)            | Yes                    | `reports/node-test.sonar.xml`    | [SonarQube unit tests integration](https://docs.sonarqube.org/latest/analysis/generic-test/) _(generic SonarQube format)_                                          |
-| istanbul [lcovonly](https://istanbul.js.org/docs/advanced/alternative-reporters/#lcovonly)   | Yes (in `nyc` package) | `reports/lcov.info`              | [SonarQube code coverage integration](https://docs.sonarqube.org/latest/analysis/test-coverage/javascript-typescript-test-coverage/) _(JS/TS LCOV format)_         |
+| [mocha-sonarqube-reporter](https://github.com/mmouterde/mocha-sonarqube-reporter)            | Yes                    | `reports/node-test.sonar.xml`    | [SonarQube unit tests integration](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/test-coverage/generic-test-data/#generic-test-coverage) _(generic SonarQube format)_                                          |
+| istanbul [lcovonly](https://istanbul.js.org/docs/advanced/alternative-reporters/#lcovonly)   | Yes (in `nyc` package) | `reports/lcov.info`              | [SonarQube code coverage integration](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/test-coverage/javascript-typescript-test-coverage/) _(JS/TS LCOV format)_         |

 :warning: Remarks:

@@ -288,7 +300,7 @@ If you're using the SonarQube template to analyse your Node code, here are 2 sam
 If using JavaScript language:

 ```properties
-# see: https://docs.sonarqube.org/latest/analyzing-source-code/test-coverage/javascript-typescript-test-coverage/
+# see: https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/test-coverage/javascript-typescript-test-coverage/
 # set your source directory(ies) here (relative to the sonar-project.properties file)
 sonar.sources=.
 # exclude unwanted directories and files from being analysed
@@ -309,7 +321,7 @@ sonar.javascript.lcov.reportPaths=reports/lcov.info
 If using TypeScript language:

 ```properties
-# see: https://docs.sonarqube.org/latest/analyzing-source-code/test-coverage/javascript-typescript-test-coverage/
+# see: https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/test-coverage/javascript-typescript-test-coverage/
 # set your source directory(ies) here (relative to the sonar-project.properties file)
 sonar.sources=src
 # exclude unwanted directories and files from being analysed
@@ -329,10 +341,10 @@ sonar.typescript.lcov.reportPaths=reports/lcov.info

 More info:

- [JavaScript language support](https://docs.sonarqube.org/latest/analyzing-source-code/test-coverage/javascript-typescript-test-coverage/)
- [TypeScript language support](https://docs.sonarqube.org/latest/analyzing-source-code/test-coverage/javascript-typescript-test-coverage/)
- [test coverage & execution parameters](https://docs.sonarqube.org/latest/analysis/coverage/)
- [third-party issues](https://docs.sonarqube.org/latest/analysis/external-issues/)
+- [JavaScript language support](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/test-coverage/javascript-typescript-test-coverage/)
+- [TypeScript language support](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/test-coverage/javascript-typescript-test-coverage/)
+- [test coverage](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/test-coverage/test-coverage-parameters/) & [test execution](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/test-coverage/test-execution-parameters/) parameters
+- [external analyzer reports](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/importing-external-issues/external-analyzer-reports/)

 ### `node-audit` job

@@ -345,7 +357,7 @@ It is bound to the `test` stage.
 | `audit-disabled` / `NODE_AUDIT_DISABLED` | Set to `true` to disable npm audit                                                                                                                                                                          | _none_ (enabled)    |
 | `audit-args` / `NODE_AUDIT_ARGS`         | npm [audit](https://docs.npmjs.com/cli/v8/commands/npm-audit) arguments <br/> yarn [audit](https://classic.yarnpkg.com/en/docs/cli/audit) arguments <br/> pnpm [audit](https://pnpm.io/cli/audit) arguments | `--audit-level=low` |

-In addition to a textual report in the console, this job produces the following report, kept for one day:
+In addition to a textual report in the console, this job produces the following report, kept for one day and only available for download by users with the Developer role or higher:

 | Report                                            | Format                                                        | Usage                                                                                                                                                                                                                                  |
 | ------------------------------------------------- | ------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -364,7 +376,7 @@ It is bound to the `test` stage.
 | `outdated-args` / `NODE_OUTDATED_ARGS`         | npm [outdated](https://docs.npmjs.com/cli/v8/commands/npm-outdated) arguments <br/> yarn [outdated](https://classic.yarnpkg.com/lang/en/docs/cli/outdated/) arguments <br/> pnpm [outdated](https://pnpm.io/cli/outdated) arguments | `--long`         |
 | `node-outdated-job-tags` / `NODE_OUTDATED_JOB_TAGS` | Tags to be used for selecting runners for the job | [] |

-The job generates an outdated report that you will find here: `NODE_PROJECT_DIR/reports/npm-outdated-report.json`.
+The job generates an outdated report that you will find here: `NODE_PROJECT_DIR/reports/npm-outdated-report.json`. This report is only available for download by users with the Developer role or higher

 ### `node-semgrep` job

@@ -389,12 +401,12 @@ It is bound to the `test` stage, and uses the following variables:
 > - the `--metrics` option is set to `off`,
 > - the `--disable-version-check` option is set.

-In addition to a textual report in the console, this job produces the following reports, kept for one day:
+In addition to a textual report in the console, this job produces the following reports, kept for one week and only available for download by users with the Developer role or higher:

 | Report                                               | Format                                                                                       | Usage                                                                                                                                                                   |
 | ---------------------------------------------------- | -------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | `$NODE_PROJECT_DIR/reports/node-semgrep.gitlab.json` | [GitLab's SAST format](https://semgrep.dev/docs/cli-reference#semgrep-scan-command-options)  | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportssast)                                                                    |
-| `$NODE_PROJECT_DIR/reports/node-semgrep.native.json` | [Semgrep's JSON format](https://semgrep.dev/docs/cli-reference#semgrep-scan-command-options) | [DefectDojo integration](https://documentation.defectdojo.com/integrations/parsers/file/semgrep)<br/>_This report is generated only if DefectDojo template is detected_ |
+| `$NODE_PROJECT_DIR/reports/node-semgrep.native.json` | [Semgrep's JSON format](https://semgrep.dev/docs/cli-reference#semgrep-scan-command-options) | [DefectDojo integration](https://docs.defectdojo.com/en/connecting_your_tools/parsers/file/semgrep/)<br/>_This report is generated only if DefectDojo template is detected_ |

 ### `node-sbom` job

@@ -488,10 +500,12 @@ In order to be able to communicate with the Vault server, the variant requires t
 | Input / Variable                    | Description                                                                                                                     | Default value                                                              |
 | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- |
 | `TBC_VAULT_IMAGE`                   | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest` |
-| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url                                                                                                   | _none_                                                                     |
+| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url                                                                                                   | **must be defined**                                                        |
 | `vault-oidc-aud` / `VAULT_OIDC_AUD` | The `aud` claim for the JWT                                                                                                     | `$CI_SERVER_URL`                                                           |
-| :lock: `VAULT_ROLE_ID`              | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID                                                             | **must be defined**                                                        |
-| :lock: `VAULT_SECRET_ID`            | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID                                                           | **must be defined**                                                        |
+| :lock: `VAULT_ROLE_ID`              | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID                                                             | _none_                                                                     |
+| :lock: `VAULT_SECRET_ID`            | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID                                                           | _none_                                                                     |
+
+By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.

 #### Usage

@@ -513,14 +527,13 @@ With:
 ```yaml
 include:
  # main template
-  - component: $CI_SERVER_FQDN/to-be-continuous/node/gitlab-ci-node@4.0.1
+  - component: $CI_SERVER_FQDN/to-be-continuous/node/gitlab-ci-node@4.1.1
  # Vault variant
-  - component: $CI_SERVER_FQDN/to-be-continuous/node/gitlab-ci-node-vault@4.0.1
+  - component: $CI_SERVER_FQDN/to-be-continuous/node/gitlab-ci-node-vault@4.1.1
    inputs:
      # audience claim for JWT
      vault-oidc-aud: "https://vault.acme.host"
      vault-base-url: "https://vault.acme.host/v1"
-      # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable

 variables:
  NODE_CONFIG_SCOPED_REGISTRIES: "@public-repo:https://public.npm.registry/some/repo @my-priv-repo:https://private.npm.registry/another/repo"

--- a/bumpversion.sh
+++ b/bumpversion.sh
@@ -27,7 +27,7 @@ if [[ "$curVer" ]]; then
  log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."

  # replace in README
-  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
+  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\"/ref: \"$nextVer\"/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
  mv -f README.md.next README.md

  # replace in template and variants

--- a/kicker.json
+++ b/kicker.json
@@ -84,7 +84,7 @@
    {
      "id": "node-lint",
      "name": "node lint",
-      "description": "node lint analysis",
+      "description": "code analysis with [ESLint](https://eslint.org/)",
      "enable_with": "NODE_LINT_ENABLED",
      "variables": [
        {

--- a/templates/gitlab-ci-node-vault.yml
+++ b/templates/gitlab-ci-node-vault.yml
@@ -22,7 +22,7 @@ variables:
 .node-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "node", "4.0.1"]
+      command: ["--service", "node", "4.1.1"]
    - name: "$TBC_VAULT_IMAGE"
      alias: "vault-secrets-provider"
  variables:

--- a/templates/gitlab-ci-node.yml
+++ b/templates/gitlab-ci-node.yml
@@ -242,7 +242,7 @@ variables:
  # default integration ref name (pattern)
  INTEG_REF: /^develop$/
  # default release tag name (pattern)
-  RELEASE_REF: /^v?[0-9]+\.[0-9]+\.[0-9]+$/
+  RELEASE_REF: /^v?[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9-\.]+)?(\+[a-zA-Z0-9-\.]+)?$/

 # ==================================================
 # Stages definition
@@ -568,16 +568,6 @@ stages:
    fi
  }

-  function sonar_lint_report() {
-    if [[ "$SONAR_HOST_URL" ]] || [[ "$SONAR_URL" ]]
-    then
-      mkdir -p -m 777 reports
-      # generate eslint report in json for SonarQube
-      # shellcheck disable=SC2086
-      $NODE_MANAGER $NODE_LINT_ARGS -- --format=json --output-file=reports/node-lint.xslint.json
-    fi
-  }
-
  function configure_publish() {
    # get package scope+name, and target registry url
    pkg_fullname=$(node -pe "require('./package.json').name")
@@ -645,7 +635,7 @@ stages:
  image: $NODE_IMAGE
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "node", "4.0.1"]
+      command: ["--service", "node", "4.1.1"]
  variables:
    # Yarn cache (better than --cache-folder option, deprecated)
    YARN_CACHE_FOLDER: "$CI_PROJECT_DIR/$NODE_PROJECT_DIR/.yarn"
@@ -719,16 +709,35 @@ node-lint:
  extends: .node-base
  stage: build
  script:
-    # generate lint report for sonar
-    - sonar_lint_report || true
-    # display lint result for console
-    - $NODE_MANAGER $NODE_LINT_ARGS
+    - mkdir -p -m 777 reports
+    # maybe generate ESLint report for SonarQube
+    - |
+      if [[ "$SONAR_HOST_URL" ]] || [[ "$SONAR_URL" ]]
+      then
+        # generate eslint report for SonarQube
+        # shellcheck disable=SC2086
+        log_info "SonarQube detected: producing ESLint JSON report..."
+        $NODE_MANAGER $NODE_LINT_ARGS -- --format=json --output-file=reports/node-lint.xslint.json || true
+      fi
+    # maybe add eslint-formatter-gitlab
+    - |
+      if ! $NODE_MANAGER list | grep eslint-formatter-gitlab > /dev/null
+      then
+        log_info "Adding eslint-formatter-gitlab to produce ESLint GitLab report..."
+        $NODE_MANAGER add eslint-formatter-gitlab
+      fi
+    # run ESLint with console output and GitLab report
+    # shellcheck disable=SC2086
+    - ESLINT_CODE_QUALITY_REPORT=reports/node-lint.gitlab.json $NODE_MANAGER $NODE_LINT_ARGS -- --format=gitlab
  artifacts:
    when: always # store artifact even if test Failed
    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
-    paths:
-      - $NODE_PROJECT_DIR/reports/node-lint.xslint.json
    expire_in: 1 day
+    paths:
+      - $NODE_PROJECT_DIR/reports/node-lint.*
+    reports:
+      codequality:
+        - $NODE_PROJECT_DIR/reports/node-lint.gitlab.json
  rules:
    # exclude if $NODE_LINT_ENABLED unset
    - if: '$NODE_LINT_ENABLED != "true"'
@@ -762,6 +771,7 @@ node-audit:
    paths:
      - $NODE_PROJECT_DIR/reports/npm-audit.*
    expire_in: 1 day
+    access: developer
  rules:
    # exclude if $NODE_AUDIT_DISABLED set
    - if: '$NODE_AUDIT_DISABLED == "true"'
@@ -787,6 +797,7 @@ node-outdated:
    paths:
      - $NODE_PROJECT_DIR/reports/npm-outdated.*
    expire_in: 1 day
+    access: developer
  rules:
    # exclude if $NODE_OUTDATED_DISABLED set
    - if: $NODE_OUTDATED_DISABLED == "true"
@@ -808,19 +819,19 @@ node-semgrep:
  dependencies: []
  stage: test
  before_script:
-    - *node-scripts
-    - cd $NODE_PROJECT_DIR
-    - mkdir -p -m 777 reports
+    - !reference [.node-scripts]
+    - mkdir -p -m 777 ${NODE_PROJECT_DIR}/reports
    - setup_semgrep_rules
  script:
    - >- 
-      semgrep ci ${TRACE+--verbose} ${NODE_SEMGREP_ARGS}
-      --gitlab-sast-output=reports/node-semgrep.gitlab.json
-      ${DEFECTDOJO_SEMGREP_REPORTS:+--json-output=reports/node-semgrep.native.json}
+      semgrep ci ${TRACE+--verbose} ${NODE_SEMGREP_ARGS} --subdir ${NODE_PROJECT_DIR}
+      --gitlab-sast-output=${NODE_PROJECT_DIR}/reports/node-semgrep.gitlab.json
+      ${DEFECTDOJO_SEMGREP_REPORTS:+--json-output=${NODE_PROJECT_DIR}/reports/node-semgrep.native.json}
  artifacts:
    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
    when: always
    expire_in: 1 week
+    access: developer
    reports:
      sast: $NODE_PROJECT_DIR/reports/node-semgrep.gitlab.json
    paths: