fix: limit security reports access to developer role or higher

40c85eff · Bertrand Goareguer · 078f9541 · 40c85eff · 40c85eff
Commit 40c85eff authored 6 months ago by Bertrand Goareguer
--- a/README.md
+++ b/README.md
@@ -228,7 +228,7 @@ It is bound to the `test` stage, and uses the following variables:
 | `bandit-enabled` / `BANDIT_ENABLED` | Set to `true` to enable Bandit analysis                                | _none_ (disabled) |
 | `bandit-args` / `BANDIT_ARGS`    | Additional [Bandit CLI options](https://github.com/PyCQA/bandit#usage) | `--recursive .`   |

-In addition to a textual report in the console, this job produces the following reports, kept for one day:
+In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:

 | Report         | Format                                                                       | Usage             |
 | -------------- | ---------------------------------------------------------------------------- | ----------------- |
@@ -249,7 +249,7 @@ It is bound to the `test` stage, and uses the following variables:
 | `trivy-dist-url` / `PYTHON_TRIVY_DIST_URL` | Url to the `tar.gz` package for `linux_amd64` of Trivy to use (ex: `https://github.com/aquasecurity/trivy/releases/download/v0.51.1/trivy_0.51.1_Linux-64bit.tar.gz`)<br/>_When unset, the latest version will be used_ | _none_ |
 | `trivy-args` / `PYTHON_TRIVY_ARGS`       | Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_filesystem/) | `--ignore-unfixed --pkg-types library --detection-priority comprehensive`   |

-In addition to a textual report in the console, this job produces the following reports, kept for one day:
+In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:

 | Report         | Format                                                                       | Usage             |
 | -------------- | ---------------------------------------------------------------------------- | ----------------- |

--- a/templates/gitlab-ci-python.yml
+++ b/templates/gitlab-ci-python.yml
@@ -1234,6 +1234,7 @@ py-bandit:
    when: always
    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
    expire_in: 1 day
+    access: developer
    paths:
      - "$PYTHON_PROJECT_DIR/reports/py-bandit.*"
  rules:
@@ -1310,6 +1311,7 @@ py-trivy:
  artifacts:
    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
    expire_in: 1 day
+    access: developer
    when: always
    paths:
      - "$PYTHON_PROJECT_DIR/reports/py-trivy.*"