Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/ci/secure_files/index.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/ci/secure_files/index.md')
-rw-r--r--doc/ci/secure_files/index.md26
1 files changed, 24 insertions, 2 deletions
diff --git a/doc/ci/secure_files/index.md b/doc/ci/secure_files/index.md
index d2ce98ad048..ee074c2a99c 100644
--- a/doc/ci/secure_files/index.md
+++ b/doc/ci/secure_files/index.md
@@ -1,8 +1,7 @@
---
stage: Verify
group: Pipeline Security
-info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
-type: reference
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
---
# Project-level Secure Files **(FREE ALL)**
@@ -61,3 +60,26 @@ WARNING:
The content of files loaded with the `download-secure-files` tool are not [masked](../variables/index.md#mask-a-cicd-variable)
in the job log output. Make sure to avoid outputting secure file contents in the job log,
especially when logging output that could contain sensitive information.
+
+## Security details
+
+Project-level Secure Files are encrypted on upload using the [Lockbox](https://github.com/ankane/lockbox)
+Ruby gem by using the [`Ci::SecureFileUploader`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/uploaders/ci/secure_file_uploader.rb)
+interface. This interface generates a SHA256 checksum of the source file during upload
+that is persisted with the record in the database so it can be used to verify the contents
+of the file when downloaded.
+
+A [unique encryption key](https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/models/ci/secure_file.rb#L27)
+is generated for each file when it is created and persisted in the database. The encrypted uploaded files
+are stored in either local storage or object storage depending on the [GitLab instance configuration](../../administration/secure_files.md).
+
+Individual files can be retrieved with the [secure files download API](../../api/secure_files.md#download-secure-file).
+Metadata can be retrieved with the [list](../../api/secure_files.md#list-project-secure-files)
+or [show](../../api/secure_files.md#show-secure-file-details) API endpoints. Files can also be retrieved
+with the [`download-secure-files`](https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files)
+tool. This tool automatically verifies the checksum of each file as it is downloaded.
+
+Any project member with at least the Developer role can access Project-level secure files.
+Interactions with Project-level secure files are not included in Audit Events, but
+[issue 117](https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/readme/-/issues/117).
+proposes adding this functionality.
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-01 00:56:50 +0300