Skip to content
Snippets Groups Projects
Commit 40c85eff authored by Bertrand Goareguer's avatar Bertrand Goareguer
Browse files

fix: limit security reports access to developer role or higher

parent 078f9541
Branches
Tags
No related merge requests found
......@@ -228,7 +228,7 @@ It is bound to the `test` stage, and uses the following variables:
| `bandit-enabled` / `BANDIT_ENABLED` | Set to `true` to enable Bandit analysis | _none_ (disabled) |
| `bandit-args` / `BANDIT_ARGS` | Additional [Bandit CLI options](https://github.com/PyCQA/bandit#usage) | `--recursive .` |
In addition to a textual report in the console, this job produces the following reports, kept for one day:
In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:
| Report | Format | Usage |
| -------------- | ---------------------------------------------------------------------------- | ----------------- |
......@@ -249,7 +249,7 @@ It is bound to the `test` stage, and uses the following variables:
| `trivy-dist-url` / `PYTHON_TRIVY_DIST_URL` | Url to the `tar.gz` package for `linux_amd64` of Trivy to use (ex: `https://github.com/aquasecurity/trivy/releases/download/v0.51.1/trivy_0.51.1_Linux-64bit.tar.gz`)<br/>_When unset, the latest version will be used_ | _none_ |
| `trivy-args` / `PYTHON_TRIVY_ARGS` | Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_filesystem/) | `--ignore-unfixed --pkg-types library --detection-priority comprehensive` |
In addition to a textual report in the console, this job produces the following reports, kept for one day:
In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:
| Report | Format | Usage |
| -------------- | ---------------------------------------------------------------------------- | ----------------- |
......
......@@ -1234,6 +1234,7 @@ py-bandit:
when: always
name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
expire_in: 1 day
access: developer
paths:
- "$PYTHON_PROJECT_DIR/reports/py-bandit.*"
rules:
......@@ -1310,6 +1311,7 @@ py-trivy:
artifacts:
name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
expire_in: 1 day
access: developer
when: always
paths:
- "$PYTHON_PROJECT_DIR/reports/py-trivy.*"
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment