Skip to content
Snippets Groups Projects
Commit f037bd1c authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch '91-limit-security-reports-access-to-developer-role-and-above' into 'master'

Resolve "Limit security reports access to developer role and above"

Closes #91

See merge request to-be-continuous/python!123
parents ff5baf9c 40c85eff
No related branches found
No related tags found
No related merge requests found
...@@ -228,7 +228,7 @@ It is bound to the `test` stage, and uses the following variables: ...@@ -228,7 +228,7 @@ It is bound to the `test` stage, and uses the following variables:
| `bandit-enabled` / `BANDIT_ENABLED` | Set to `true` to enable Bandit analysis | _none_ (disabled) | | `bandit-enabled` / `BANDIT_ENABLED` | Set to `true` to enable Bandit analysis | _none_ (disabled) |
| `bandit-args` / `BANDIT_ARGS` | Additional [Bandit CLI options](https://github.com/PyCQA/bandit#usage) | `--recursive .` | | `bandit-args` / `BANDIT_ARGS` | Additional [Bandit CLI options](https://github.com/PyCQA/bandit#usage) | `--recursive .` |
In addition to a textual report in the console, this job produces the following reports, kept for one day: In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:
| Report | Format | Usage | | Report | Format | Usage |
| -------------- | ---------------------------------------------------------------------------- | ----------------- | | -------------- | ---------------------------------------------------------------------------- | ----------------- |
...@@ -249,7 +249,7 @@ It is bound to the `test` stage, and uses the following variables: ...@@ -249,7 +249,7 @@ It is bound to the `test` stage, and uses the following variables:
| `trivy-dist-url` / `PYTHON_TRIVY_DIST_URL` | Url to the `tar.gz` package for `linux_amd64` of Trivy to use (ex: `https://github.com/aquasecurity/trivy/releases/download/v0.51.1/trivy_0.51.1_Linux-64bit.tar.gz`)<br/>_When unset, the latest version will be used_ | _none_ | | `trivy-dist-url` / `PYTHON_TRIVY_DIST_URL` | Url to the `tar.gz` package for `linux_amd64` of Trivy to use (ex: `https://github.com/aquasecurity/trivy/releases/download/v0.51.1/trivy_0.51.1_Linux-64bit.tar.gz`)<br/>_When unset, the latest version will be used_ | _none_ |
| `trivy-args` / `PYTHON_TRIVY_ARGS` | Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_filesystem/) | `--ignore-unfixed --pkg-types library --detection-priority comprehensive` | | `trivy-args` / `PYTHON_TRIVY_ARGS` | Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_filesystem/) | `--ignore-unfixed --pkg-types library --detection-priority comprehensive` |
In addition to a textual report in the console, this job produces the following reports, kept for one day: In addition to a textual report in the console, this job produces the following reports, kept for one day and only available for download by users with the Developer role or higher:
| Report | Format | Usage | | Report | Format | Usage |
| -------------- | ---------------------------------------------------------------------------- | ----------------- | | -------------- | ---------------------------------------------------------------------------- | ----------------- |
......
...@@ -1234,6 +1234,7 @@ py-bandit: ...@@ -1234,6 +1234,7 @@ py-bandit:
when: always when: always
name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
expire_in: 1 day expire_in: 1 day
access: developer
paths: paths:
- "$PYTHON_PROJECT_DIR/reports/py-bandit.*" - "$PYTHON_PROJECT_DIR/reports/py-bandit.*"
rules: rules:
...@@ -1310,6 +1311,7 @@ py-trivy: ...@@ -1310,6 +1311,7 @@ py-trivy:
artifacts: artifacts:
name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
expire_in: 1 day expire_in: 1 day
access: developer
when: always when: always
paths: paths:
- "$PYTHON_PROJECT_DIR/reports/py-trivy.*" - "$PYTHON_PROJECT_DIR/reports/py-trivy.*"
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment