django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard
verified publisher icon DefectDojo

api-importer write-only role for uploads

Open Gby56 opened this issue 2 years ago • 1 comments

Is your feature request related to a problem? Please describe Currently, the api-importer role is too permissive really, as it allows reading sensitive information, even though it could be leaked in a CI/CD pipeline environment.

Describe the solution you'd like We're lacking a permission for uploading scan reports or creating findings. It should be used in a new write-only api-importer role, so that the token cannot ever be used to leak information, but only add to the Defectdojo findings.

Describe alternatives you've considered No other way of doing that, tried creating a user without any role, but the "Configuration Permissions" table with checkboxes doesn't have an option for "Add" findings or engagement etc... image

Gby56 avatar Jan 10 '23 17:01 Gby56

@mtesauro maybe consider-for-3.0 ?

manuel-sommer avatar Jan 30 '24 02:01 manuel-sommer