Development container registries must be private
Why are we doing this work
In GitLab 15.0, we moved the production registry for Secure analyzers from registry.gitlab.com/gitlab-org/security-products/analyzers
to registry.gitlab.com/security-products
.
To eliminate the risk of users accessing analyzer images that are not production-ready, the development container registries under registry.gitlab.com/gitlab-org/security-products/analyzers
will be made private.
As a result, unauthorized clients will be denied access to pull images from development registries.
This is being treated as a breaking change so that any users still relying on registry.gitlab.com/gitlab-org/security-products/analyzers
have a chance to see the deprecation note for %18.0 and update their settings.
Relevant links
- https://gitlab.com/gitlab-org/gitlab/-/issues/297525+
- https://docs.gitlab.com/ee/update/deprecations.html?removal_milestone=15.0#secure-and-protect-analyzer-images-published-in-new-location
List of affected registries:
- groupcomposition analysis
-
groupdynamic analysis
- DAST
- DAST API
- Fuzz API
-
groupsecret detection
- ?
- groupstatic analysis: all official analyzers, including end-of-life ones.
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing: - Failing security report parsing: https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/pipelines/1326569776/security
Implementation plan
For each analyzer project, go to the project settings, Visibility, project features, permissions
, and switch Container registry
to Only Project Members
.