Development container registries must be private
Why are we doing this work
In GitLab 15.0, we moved the production registry for Secure analyzers from registry.gitlab.com/gitlab-org/security-products/analyzers to registry.gitlab.com/security-products.
To eliminate the risk of users accessing analyzer images that are not production-ready, the development container registries under registry.gitlab.com/gitlab-org/security-products/analyzers will be made private.
As a result, unauthorized clients will be denied access to pull images from development registries.
This is being treated as a breaking change so that any users still relying on registry.gitlab.com/gitlab-org/security-products/analyzers have a chance to see the deprecation note for %18.0 and update their settings.
Relevant links
- Design: Lock down write access to Secure's cont... (#297525 - closed)
- https://docs.gitlab.com/ee/update/deprecations.html?removal_milestone=15.0#secure-and-protect-analyzer-images-published-in-new-location
List of affected registries:
-
groupcomposition analysis
- Registries:
- Removal issue: Make CA container registries private (#478454 - closed) • Unassigned • 18.0
-
groupdynamic analysis
- Registries:
- DAST
- DAST API
- Fuzz API
- Registries:
-
groupsecret detection
- Registries:
- Removal issue: Make Secret Detection registry private (#486678 - closed) • Amar Patel • 18.0
- groupstatic analysis:
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing: - Failing security report parsing: https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/pipelines/1326569776/security
Implementation plan
For each analyzer project, go to the project settings, Visibility, project features, permissions, and switch Container registry to Only Project Members.