Development container registries must be private

Why are we doing this work

In GitLab 15.0, we moved the production registry for Secure analyzers from registry.gitlab.com/gitlab-org/security-products/analyzers to registry.gitlab.com/security-products.

To eliminate the risk of users accessing analyzer images that are not production-ready, the development container registries under registry.gitlab.com/gitlab-org/security-products/analyzers will be made private.

As a result, unauthorized clients will be denied access to pull images from development registries.

This is being treated as a breaking change so that any users still relying on registry.gitlab.com/gitlab-org/security-products/analyzers have a chance to see the deprecation note for %18.0 and update their settings.

Relevant links

List of affected registries:

groupcomposition analysis
- Registries:
- Removal issue: Make CA container registries private (#478454 - closed) • Unassigned • 18.0
groupdynamic analysis
- Registries:
  - DAST
  - DAST API
  - Fuzz API
groupsecret detection
- Registries:
  - secrets
- Removal issue: Make Secret Detection registry private (#486678 - closed) • Amar Patel • 18.0
groupstatic analysis:
- Registries:
  - semgrep
  - sobelow
  - spotbugs
  - bandit
  - brakeman'
  - eslint
  - flawfinder
  - gosec
  - mobsf
  - nodejs-scan
  - phpcs-security-audit
  - security-code-scan
- Removal issue: Make SAST registries private (#478741 - closed) • Unassigned • Backlog

Non-functional requirements

Documentation:
Feature flag:
Performance:
Testing:
- Failing security report parsing: https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/pipelines/1326569776/security

Implementation plan

For each analyzer project, go to the project settings, Visibility, project features, permissions, and switch Container registry to Only Project Members.

Verification steps

Edited Sep 10, 2024 by Amar Patel