Skip to content

Add Access Token auth to Gemnasium API

Problem to solve

Currently, the only way to auth on Gemnasium API is by using a JSON Web Token.

This approach doesn't suit well for automated workflow we are trying to achieve.

Intended users

~Secure team members.

Further details

As we want to automate the publishing process of advisories to the Gemnasium DB, we need a way to set up a long-lived auth mechanism that could be used by a bot to submit a request to the Gemnasium API from pipeline jobs.

Proposal

Consider adding something similar to GitLab's Personal access tokens

Permissions and Security

We should be careful about the rights granted to this kind of access and consider the potential risks.

Documentation

TODO: check if we have propoer documentation for gemnasium API, and add this new auth mechanism capability there.

What does success look like, and how can we measure that?

A job from gemnasium-db repository can submit authenticated requests to the gemnasium API.

Links / references