Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-gitlabcis for
openSUSE:Factory checked in at 2025-12-17 18:39:10
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-gitlabcis (Old)
and /work/SRC/openSUSE:Factory/.python-gitlabcis.new.1939 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-gitlabcis"
Wed Dec 17 18:39:10 2025 rev:5 rq:1323263 version:1.15.16
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-gitlabcis/python-gitlabcis.changes
2025-12-16 16:00:09.568708842 +0100
+++
/work/SRC/openSUSE:Factory/.python-gitlabcis.new.1939/python-gitlabcis.changes
2025-12-17 18:39:12.057659648 +0100
@@ -1,0 +2,7 @@
+Wed Dec 17 07:02:25 UTC 2025 - Johannes Kastl
<[email protected]>
+
+- update to 1.15.16:
+ * Fix
+ - fix(deps): update dependency bandit to v1.9.2 (9075bc1)
+
+-------------------------------------------------------------------
Old:
----
gitlabcis-1.15.13.tar.gz
New:
----
gitlabcis-1.15.16.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-gitlabcis.spec ++++++
--- /var/tmp/diff_new_pack.yTTgQO/_old 2025-12-17 18:39:14.057743740 +0100
+++ /var/tmp/diff_new_pack.yTTgQO/_new 2025-12-17 18:39:14.077744580 +0100
@@ -17,7 +17,7 @@
Name: python-gitlabcis
-Version: 1.15.13
+Version: 1.15.16
Release: 0
Summary: An automated tool that assesses the GitLab CIS benchmarks
against a project
License: MIT
@@ -37,7 +37,7 @@
# /SECTION
# SECTION runtime requirements
#
https://gitlab.com/gitlab-security-oss/cis/gitlabcis/-/blob/main/pyproject.toml?ref_type=heads#L61
-BuildRequires: %{python_module PyYAML >= 6.0.2}
+BuildRequires: %{python_module PyYAML >= 6.0.3}
BuildRequires: %{python_module defusedxml >= 0.7.1}
BuildRequires: %{python_module gql >= 3.5.3}
BuildRequires: %{python_module python-dateutil >= 2.9.0.post0}
@@ -46,9 +46,9 @@
BuildRequires: %{python_module tqdm >= 4.67.1}
# /SECTION
# SECTION test requirements
-# BuildRequires: python_module pytest >= 8.3.4}
-# BuildRequires: python_module yamllint >= 1.35.1}
-# BuildRequires: python_module bandit >= 1.8.3}
+# BuildRequires: python_module pytest >= 8.4.2}
+# BuildRequires: python_module yamllint >= 1.37.1}
+# BuildRequires: python_module bandit >= 1.9.2}
# /SECTION
BuildRequires: fdupes
#
https://gitlab.com/gitlab-security-oss/cis/gitlabcis/-/blob/main/pyproject.toml?ref_type=heads#L61
++++++ gitlabcis-1.15.13.tar.gz -> gitlabcis-1.15.16.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gitlabcis-1.15.13/.gitlab/.gitlab-ci.yml
new/gitlabcis-1.15.16/.gitlab/.gitlab-ci.yml
--- old/gitlabcis-1.15.13/.gitlab/.gitlab-ci.yml 2025-09-04
06:55:01.000000000 +0200
+++ new/gitlabcis-1.15.16/.gitlab/.gitlab-ci.yml 2025-12-17
02:43:56.000000000 +0100
@@ -187,6 +187,15 @@
# Compatibility tests:
# -----------------------------------------------------------------------------
+python:3.14:
+ stage: compatibility
+ image: python:3.14
+ script:
+ - make install
+ - venv/bin/tox -e py314
+ rules:
+ - when: always
+
python:3.13:
stage: compatibility
image: python:3.13
@@ -223,15 +232,6 @@
rules:
- when: always
-python:3.9:
- stage: compatibility
- image: python:3.9
- script:
- - make install
- - venv/bin/tox -e py39
- rules:
- - when: always
-
# -----------------------------------------------------------------------------
# GitLab & Pypi release using python-semantic-release
# -----------------------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gitlabcis-1.15.13/CHANGELOG.md
new/gitlabcis-1.15.16/CHANGELOG.md
--- old/gitlabcis-1.15.13/CHANGELOG.md 2025-09-04 06:55:18.000000000 +0200
+++ new/gitlabcis-1.15.16/CHANGELOG.md 2025-12-17 02:44:15.000000000 +0100
@@ -1,5 +1,25 @@
# CHANGELOG
+## v1.15.16 (2025-12-17)
+
+### Fix
+
+* fix(deps): update dependency bandit to v1.9.2
([`9075bc1`](https://gitlab.com/gitlab-security-oss/cis/gitlabcis/-/commit/9075bc19368ea0a7d89c0760917a91bbdcb3f3c7))
+
+## v1.15.15 (2025-12-14)
+
+### Fix
+
+* fix: Remove support for python3.9
([`2f51051`](https://gitlab.com/gitlab-security-oss/cis/gitlabcis/-/commit/2f51051513502fab20def93833acab6d99fabe55))
+
+## v1.15.14 (2025-12-13)
+
+### Fix
+
+* fix(deps): update dependency pyyaml to v6.0.3
([`0ad6701`](https://gitlab.com/gitlab-security-oss/cis/gitlabcis/-/commit/0ad67017fef8325b3c436d7a6f4b3fe20a3f3f48))
+
+* fix(deps): update dependency pytest to v8.4.2
([`eed2b1a`](https://gitlab.com/gitlab-security-oss/cis/gitlabcis/-/commit/eed2b1a1f40b4c47be068cd6a28f460cc5c50340))
+
## v1.15.13 (2025-09-04)
### Fix
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gitlabcis-1.15.13/PKG-INFO
new/gitlabcis-1.15.16/PKG-INFO
--- old/gitlabcis-1.15.13/PKG-INFO 2025-09-04 06:55:27.642334700 +0200
+++ new/gitlabcis-1.15.16/PKG-INFO 2025-12-17 02:44:24.677272300 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: gitlabcis
-Version: 1.15.13
+Version: 1.15.16
Summary: An automated tool that assesses the GitLab CIS benchmarks against a
project.
Author-email: Nate Rosandich <[email protected]>, Neil McDonald
<[email protected]>, Mitra JozeNazemian
<[email protected]>
License: MIT License
@@ -41,8 +41,6 @@
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.8
-Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
@@ -51,10 +49,10 @@
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: System :: Benchmark
Classifier: Topic :: Security
-Requires-Python: >=3.9
+Requires-Python: >=3.10
Description-Content-Type: text/markdown
License-File: LICENSE
-Requires-Dist: PyYAML==6.0.2
+Requires-Dist: PyYAML==6.0.3
Requires-Dist: python-gitlab==6.3.0
Requires-Dist: tabulate==0.9.0
Requires-Dist: tqdm==4.67.1
@@ -70,12 +68,12 @@
Provides-Extra: test
Requires-Dist: pipdeptree==2.28.0; extra == "test"
Requires-Dist: pre-commit~=4.3.0; extra == "test"
-Requires-Dist: pytest==8.4.1; extra == "test"
+Requires-Dist: pytest==8.4.2; extra == "test"
Requires-Dist: flake8~=7.3.0; extra == "test"
-Requires-Dist: bandit==1.8.6; extra == "test"
+Requires-Dist: bandit==1.9.2; extra == "test"
Requires-Dist: yamllint==1.37.1; extra == "test"
Requires-Dist: pytest-cov==6.2.1; extra == "test"
-Requires-Dist: coverage==7.10.6; extra == "test"
+Requires-Dist: coverage==7.13.0; extra == "test"
Requires-Dist: tox~=4.30.1; extra == "test"
Dynamic: license-file
@@ -115,7 +113,7 @@
### Disclaimers
| Disclaimer | Comment |
-| -----------| ------- |
+| ----------- | ------- |
| This tool assumes that one is using GitLab for
[everything](https://about.gitlab.com/blog/2016/03/08/gitlab-tutorial-its-all-connected/)
| <ul><li>For example, the first recommendation ([1.1.1 -
version_control](https://gitlab.com/gitlab-security-oss/cis/gitlabcis/-/blob/main/gitlabcis/recommendations/source_code_1/code_changes_1_1/version_control.yml#L4)):</li><ul><li>_"Ensure
any changes to code are tracked in a version control platform."_</ul><li>Using
GitLab automatically passes this control.</li></ul> |
| This tool cannot audit every recommendation | <ul><li>We have kept a record
of every recommendation that we cannot automate. Review our limitations doc
([docs/limitations.md](https://gitlab.com/gitlab-security-oss/cis/gitlabcis/-/blob/main/docs/limitations.md?ref_type=heads)),
which highlights automation gaps in which a condition cannot confidently be
automated.</li></ul> |
| This tool **does not execute any write operations** on your GitLab instance,
group or project. No write actions are performed. | <ul><li>This tool is
expressly designed to refrain from performing any write operations that
may:</li><ul><li>modify, alter, change, or otherwise impact the configuration,
data, or integrity of your GitLab project</li></ul> <li>ensuring that no
alterations or unauthorized adjustments are made to its state or
contents.</li></ul> |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gitlabcis-1.15.13/README.md
new/gitlabcis-1.15.16/README.md
--- old/gitlabcis-1.15.13/README.md 2025-09-04 06:55:01.000000000 +0200
+++ new/gitlabcis-1.15.16/README.md 2025-12-17 02:43:56.000000000 +0100
@@ -34,7 +34,7 @@
### Disclaimers
| Disclaimer | Comment |
-| -----------| ------- |
+| ----------- | ------- |
| This tool assumes that one is using GitLab for
[everything](https://about.gitlab.com/blog/2016/03/08/gitlab-tutorial-its-all-connected/)
| <ul><li>For example, the first recommendation ([1.1.1 -
version_control](https://gitlab.com/gitlab-security-oss/cis/gitlabcis/-/blob/main/gitlabcis/recommendations/source_code_1/code_changes_1_1/version_control.yml#L4)):</li><ul><li>_"Ensure
any changes to code are tracked in a version control platform."_</ul><li>Using
GitLab automatically passes this control.</li></ul> |
| This tool cannot audit every recommendation | <ul><li>We have kept a record
of every recommendation that we cannot automate. Review our limitations doc
([docs/limitations.md](https://gitlab.com/gitlab-security-oss/cis/gitlabcis/-/blob/main/docs/limitations.md?ref_type=heads)),
which highlights automation gaps in which a condition cannot confidently be
automated.</li></ul> |
| This tool **does not execute any write operations** on your GitLab instance,
group or project. No write actions are performed. | <ul><li>This tool is
expressly designed to refrain from performing any write operations that
may:</li><ul><li>modify, alter, change, or otherwise impact the configuration,
data, or integrity of your GitLab project</li></ul> <li>ensuring that no
alterations or unauthorized adjustments are made to its state or
contents.</li></ul> |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gitlabcis-1.15.13/docs/limitations.md
new/gitlabcis-1.15.16/docs/limitations.md
--- old/gitlabcis-1.15.13/docs/limitations.md 2025-09-04 06:55:01.000000000
+0200
+++ new/gitlabcis-1.15.16/docs/limitations.md 2025-12-17 02:43:56.000000000
+0100
@@ -14,21 +14,21 @@
## Benchmark Controls
-| id | name | Limitation |
-|--------|------|------------|
+| id | name | Limitation |
+| ---- | ------ | ------------ |
| 1.1.4 | code_approval_dismissals | For `Group` input types, we require a
change upstream on the `python-gitlab` dependency (ref: [MR approval settings
Group Level
#3165](https://github.com/python-gitlab/python-gitlab/issues/3165)). |
-| 1.1.5 | code_dismissal_restrictions | Trusted users cannot be automatically
checked. The control will `PASS` for projects that have protected branches, and
`FAIL` if none are set. For `Group` input types, we require a change upstream
on the `python-gitlab` dependency (ref: [Protected Branches Group Level
#3164](https://github.com/python-gitlab/python-gitlab/issues/3164)).|
-| 1.1.7 | code_changes_require_code_owners | The recommendation is only set
for the `default` branch. This function does not iterate over all protected
branches. Additionally, if a user removes the protected status of their default
branch, then creates a new protected branch. Only the protected branch is
checked, skipping the default. For `Group` input types, we require a change
upstream on the `python-gitlab` dependency (ref: [Protected Branches Group
Level #3164](https://github.com/python-gitlab/python-gitlab/issues/3164)). |
-| 1.1.11 | comments_resolved_before_merging | For `Group` input types, the
following [feature
request](https://gitlab.com/gitlab-org/gitlab/-/issues/534608) needs to be
created, then an upstream change created in `python-gitlab` in order for us to
assess this.|
+| 1.1.5 | code_dismissal_restrictions | Trusted users cannot be automatically
checked. The control will `PASS` for projects that have protected branches, and
`FAIL` if none are set. For `Group` input types, we require a change upstream
on the `python-gitlab` dependency (ref: [Protected Branches Group Level
#3164](https://github.com/python-gitlab/python-gitlab/issues/3164)). |
+| 1.1.7 | code_changes_require_code_owners | The recommendation is only set
for the `default` branch. This function does not iterate over all protected
branches. Additionally, if a user removes the protected status of their default
branch, then creates a new protected branch. Only the protected branch is
checked, skipping the default. For `Group` input types, we require a change
upstream on the `python-gitlab` dependency (ref: [Protected Branches Group
Level #3164](https://github.com/python-gitlab/python-gitlab/issues/3164)). |
+| 1.1.11 | comments_resolved_before_merging | For `Group` input types, the
following [feature
request](https://gitlab.com/gitlab-org/gitlab/-/issues/534608) needs to be
created, then an upstream change created in `python-gitlab` in order for us to
assess this. |
| 1.1.12 | commits_must_be_signed_before_merging | This control will return a
`SKIP` if the [push rules](https://docs.gitlab.com/api/group_push_rules/)
feature is not enabled. |
-| 1.1.14 | branch_protections_for_admins | Requires admin permissions to get
a `PASS`/`FAIL` - additionally, gitlab.com `FAIL`'s this, because we allow
group owners to manage default branch protections (by design). |
-| 1.1.15 | merging_restrictions | This requires to iterate over every
protected branch, which for large projects takes quite some time. We cannot
distinguish between trusted & untrusted users, as the recommendation states
these must be trusted users, this function does not `FAIL` based on this. For
`Group` input types, we require a change upstream on the `python-gitlab`
dependency (ref: [Protected Branches Group Level
#3164](https://github.com/python-gitlab/python-gitlab/issues/3164)). |
+| 1.1.14 | branch_protections_for_admins | Requires admin permissions to get a
`PASS`/`FAIL` - additionally, gitlab.com `FAIL`'s this, because we allow group
owners to manage default branch protections (by design). |
+| 1.1.15 | merging_restrictions | This requires to iterate over every
protected branch, which for large projects takes quite some time. We cannot
distinguish between trusted & untrusted users, as the recommendation states
these must be trusted users, this function does not `FAIL` based on this. For
`Group` input types, we require a change upstream on the `python-gitlab`
dependency (ref: [Protected Branches Group Level
#3164](https://github.com/python-gitlab/python-gitlab/issues/3164)). |
| 1.1.16 | ensure_force_push_is_denied | For `Group` input types, we require a
change upstream on the `python-gitlab` dependency (ref: [Protected Branches
Group Level
#3164](https://github.com/python-gitlab/python-gitlab/issues/3164)). |
| 1.1.17 | deny_branch_deletions | For `Group` input types, we require a
change upstream on the `python-gitlab` dependency (ref: [Protected Branches
Group Level
#3164](https://github.com/python-gitlab/python-gitlab/issues/3164)). |
| 1.1.19 | audit_branch_protections | Ensuring that any changes to branch
protections are audited requires reviewing logs generated on the instance.
Enabling/disabling audit_events isn't toggle-able and if the automation could
query the `protected_branch_updated` events, it still would not concretely
answer if the events were audited. |
| 1.2.1 | public_repos_have_security_file | The control will `SKIP` if the
repository is not public. If the `SECURITY.md` file does not exist in the root
directory of the default branch in the repository, it will `FAIL`. |
| 1.2.3 | limit_repo_deletions | If a project that contains 1,000+ members as
a result of nested-group permissions, this control will take a long time to
finish. As such, it will return `SKIP` until a solution is found. |
-| 1.2.4 | limit_issue_deletions | If a project that contains 1,000+ members as
a result of nested-group permissions, this control will take a long time to
finish. As such, it will return `SKIP` until a solution is found.|
+| 1.2.4 | limit_issue_deletions | If a project that contains 1,000+ members as
a result of nested-group permissions, this control will take a long time to
finish. As such, it will return `SKIP` until a solution is found. |
| 1.2.5 | trace_forks | We can't account and trace forks programatically. This
control will `SKIP` if forks are found, otherwise `PASS`. |
| 1.2.6 | track_project_visibility_status | `SKIP` by default as we cannot
ascertain the relevant information programatically. |
| 1.3.1 | review_and_remove_inactive_users | Running this benchmark as a
gitlab.com admin will take a considerable amount of time. |
@@ -41,22 +41,22 @@
| 1.3.13 | track_code_anomalies | `SKIP` by default as it's not feasible to
ascertain |
| 1.4.1 | admin_approval_for_app_installs | This control will _not_ review
scopes on authorized applications, as this requires manual verification |
| 1.4.2 | stale_app_reviews | This control will look at the previous `20`
pipeline jobs, and check for `dependency_scanning` in the name. This occurs
when Dependency Scanning is enabled for a project, if found it will `PASS` else
returns a `FAIL` |
-| 1.4.3 | least_privilege_app_permissions | <ul><li>For `Instance` types, a
`SKIP` will be presented.</li><li>For `Project` types, If a project has
`integrations` then this check will `SKIP` to require manual verification,
otherwise if none were found return a `PASS`</li></ul>|
+| 1.4.3 | least_privilege_app_permissions | <ul><li>For `Instance` types, a
`SKIP` will be presented.</li><li>For `Project` types, If a project has
`integrations` then this check will `SKIP` to require manual verification,
otherwise if none were found return a `PASS`</li></ul> |
| 1.5.1 | enable_secret_detection | `SKIP` by default for `Instance` types. |
| 1.5.2 | secure_pipeline_instructions | `SKIP` by default as we cannot
automate this |
| 1.5.3 | secure_iac_instructions | `PASS` if SAST is enabled but does not
specifically look for IaC SAST. |
| 1.5.7 | dast_web_scanning | `PASS` if DAST is enabled, but we cannot
differentiate between API & WEB scanning. |
| 1.5.8 | dast_api_scanning | `PASS` if DAST is enabled, but we cannot
differentiate between API & WEB scanning. |
-| 2.1.1 | single_responsibility_pipeline | `FAIL` if there are multiple jobs
under the "build" stages, also assumes that the build "phase" is under a stage
with "build" in its name.|
+| 2.1.1 | single_responsibility_pipeline | `FAIL` if there are multiple jobs
under the "build" stages, also assumes that the build "phase" is under a stage
with "build" in its name. |
| 2.1.2 | immutable_pipeline_infrastructure | `SKIP` by default as we cannot
automate this |
| 2.1.3 | build_logging | `SKIP` by default as we cannot automate this |
-| 2.1.4 | build_automation | `PASS` only if CI config file be available |
+| 2.1.4 | build_automation | `PASS` only if CI config file be available |
| 2.1.5 | limit_build_access | `PASS` if the number of members with reporter
role or higher is below 40% or fewer than three. |
-| 2.1.6 | authenticate_build_access | `PASS` if the number of members with
reporter role or higher is below 40% or fewer than three.|
+| 2.1.6 | authenticate_build_access | `PASS` if the number of members with
reporter role or higher is below 40% or fewer than three. |
| 2.1.7 | limit_build_secrets_scope | `SKIP` by default as we cannot automate
this |
| 2.1.8 | vuln_scanning | `SKIP` by default as we cannot automate this |
| 2.1.9 | disable_build_tools_default_passwords | `SKIP` by default as we
cannot automate this |
-| 2.1.11| build_env_admins | `PASS` if the number of members with maintainer
role or higher is below 20% or fewer than three. |
+| 2.1.11 | build_env_admins | `PASS` if the number of members with maintainer
role or higher is below 20% or fewer than three. |
| 2.2.1 | single_use_workers | `SKIP` by default as we cannot automate this |
| 2.2.2 | pass_worker_envs_and_commands | `SKIP` by default as we cannot
automate this |
| 2.2.4 | restrict_worker_connectivity | `SKIP` by default as we cannot
automate this |
@@ -65,11 +65,11 @@
| 2.2.8 | monitor_worker_resource_consumption | `SKIP` by default as we cannot
automate this |
| 2.3.3 | secure_pipeline_output | `SKIP` by default as we cannot automate
this |
| 2.3.5 | limit_pipeline_triggers | `FAIL` if there is no protected branch
otherwise `SKIP` as we cannot automate this. For `Group` input types, we
require a change upstream on the `python-gitlab` dependency (ref: [Protected
Environments Group Level
#3168](https://github.com/python-gitlab/python-gitlab/issues/3168)). |
-| 2.3.6 | pipeline_misconfiguration_scanning | `PASS` if SAST and DAST both
are enabled|
-| 2.3.7 | pipeline_vuln_scanning | `PASS` if SAST and DAST both are enabled|
+| 2.3.6 | pipeline_misconfiguration_scanning | `PASS` if SAST and DAST both
are enabled |
+| 2.3.7 | pipeline_vuln_scanning | `PASS` if SAST and DAST both are enabled |
| 2.4.1 | sign_artifacts | `SKIP` by default as we cannot automate this |
| 2.4.2 | lock_dependencies | `SKIP` by default as we cannot automate this |
-| 2.4.5 | pipeline_produces_sbom | `PASS` if dependency-scanning is enabled
however file name needs to be reviewed manually|
+| 2.4.5 | pipeline_produces_sbom | `PASS` if dependency-scanning is enabled
however file name needs to be reviewed manually |
| 2.4.6 | pipeline_sign_sbom | `SKIP` by default as we cannot automate this |
| 3.1.1 | verify_artifacts | `SKIP` by default as we cannot automate this |
| 3.1.2 | third_party_sbom_required | `SKIP` by default as we cannot automate
this |
@@ -78,21 +78,21 @@
| 3.1.6 | dependency_sbom | `SKIP` by default as we cannot automate this |
| 3.1.7 | pin_dependency_version | `SKIP` by default as we cannot automate
this |
| 3.1.8 | packages_over_60_days_old | `SKIP` by default as we cannot automate
this |
-| 3.2.4 | package_ownership_change | `SKIP` by default as we cannot ascertain
the relevant information programatically. |
+| 3.2.4 | package_ownership_change | `SKIP` by default as we cannot ascertain
the relevant information programmatically. |
| 4.1.1 | sign_artifacts_in_build_pipeline | `PASS` if every file in
artifacts.zip has a corresponding .sig file, indicating that the artifacts are
signed |
| 4.1.2 | encrypt_artifacts_before_distribution | `SKIP` by default as we
cannot automate this |
| 4.1.3 | only_authorized_platforms_can_decrypt_artifacts | `SKIP` by default
as we cannot automate this |
| 4.2.1 | limit_certifying_artifacts | `SKIP` by default as we cannot automate
this |
-| 4.2.2 | limit_artifact_uploaders | `PASS` if the number of members with
maintainer role or higher is below 20% or fewer than three.|
+| 4.2.2 | limit_artifact_uploaders | `PASS` if the number of members with
maintainer role or higher is below 20% or fewer than three. |
| 4.2.4 | external_auth_server | `SKIP` by default as we cannot automate this |
| 4.2.6 | minimum_package_registry_admins | `PASS` if the number of members
with reporter role or higher is below 40% or fewer than three. |
| 4.3.3 | audit_package_registry_config | `SKIP` by default as we cannot
automate this |
| 4.4.1 | artifact_origin_info | `SKIP` by default as we cannot automate this |
| 5.1.1 | separate_deployment_config | `PASS` if ci config yml file is
available and not in the root directory of this project |
-| 5.1.2 | audit_deployment_config | `PASS` if ci config yml file is available
and changes need at least one approval and licence allow audit |
-| 5.1.3 | secret_scan_deployment_config | `PASS` if secret_detection is
enabled|
+| 5.1.2 | audit_deployment_config | `PASS` if ci config yml file is available
and changes need at least one approval and license allow audit |
+| 5.1.3 | secret_scan_deployment_config | `PASS` if secret_detection is
enabled |
| 5.1.4 | limit_deployment_config_access | `SKIP` by default as we cannot
automate this |
-| 5.1.5 | scan_iac| `PASS` if SAST_IAC is enabled|
+| 5.1.5 | scan_iac | `PASS` if SAST_IAC is enabled |
| 5.1.6 | verify_deployment_config | `SKIP` by default as we cannot automate
this |
| 5.1.7 | pin_deployment_config_manifests | `SKIP` by default as we cannot
automate this |
| 5.2.1 | automate_deployment | `FAIL` if ci config file is not available
otherwise `SKIP` for manual review |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gitlabcis-1.15.13/docs/readme.md
new/gitlabcis-1.15.16/docs/readme.md
--- old/gitlabcis-1.15.13/docs/readme.md 2025-09-04 06:55:01.000000000
+0200
+++ new/gitlabcis-1.15.16/docs/readme.md 2025-12-17 02:43:56.000000000
+0100
@@ -492,8 +492,8 @@
## gitlabcis Authors
-| Author | Affiliation |
-| ------------- | -------------- |
+| Author | Affiliation |
+| ------ | ----------- |
| Nate Rosandich | GitLab |
| Neil McDonald | GitLab |
| Mitra JozeNazemian | GitLab |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gitlabcis-1.15.13/gitlabcis/__init__.py
new/gitlabcis-1.15.16/gitlabcis/__init__.py
--- old/gitlabcis-1.15.13/gitlabcis/__init__.py 2025-09-04 06:55:18.000000000
+0200
+++ new/gitlabcis-1.15.16/gitlabcis/__init__.py 2025-12-17 02:44:15.000000000
+0100
@@ -9,4 +9,4 @@
# -------------------------------------------------------------------------
__author__ = '[email protected]'
-__version__ = '1.15.13' # noqa: E999
+__version__ = '1.15.16' # noqa: E999
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gitlabcis-1.15.13/gitlabcis.egg-info/PKG-INFO
new/gitlabcis-1.15.16/gitlabcis.egg-info/PKG-INFO
--- old/gitlabcis-1.15.13/gitlabcis.egg-info/PKG-INFO 2025-09-04
06:55:27.000000000 +0200
+++ new/gitlabcis-1.15.16/gitlabcis.egg-info/PKG-INFO 2025-12-17
02:44:24.000000000 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: gitlabcis
-Version: 1.15.13
+Version: 1.15.16
Summary: An automated tool that assesses the GitLab CIS benchmarks against a
project.
Author-email: Nate Rosandich <[email protected]>, Neil McDonald
<[email protected]>, Mitra JozeNazemian
<[email protected]>
License: MIT License
@@ -41,8 +41,6 @@
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.8
-Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
@@ -51,10 +49,10 @@
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: System :: Benchmark
Classifier: Topic :: Security
-Requires-Python: >=3.9
+Requires-Python: >=3.10
Description-Content-Type: text/markdown
License-File: LICENSE
-Requires-Dist: PyYAML==6.0.2
+Requires-Dist: PyYAML==6.0.3
Requires-Dist: python-gitlab==6.3.0
Requires-Dist: tabulate==0.9.0
Requires-Dist: tqdm==4.67.1
@@ -70,12 +68,12 @@
Provides-Extra: test
Requires-Dist: pipdeptree==2.28.0; extra == "test"
Requires-Dist: pre-commit~=4.3.0; extra == "test"
-Requires-Dist: pytest==8.4.1; extra == "test"
+Requires-Dist: pytest==8.4.2; extra == "test"
Requires-Dist: flake8~=7.3.0; extra == "test"
-Requires-Dist: bandit==1.8.6; extra == "test"
+Requires-Dist: bandit==1.9.2; extra == "test"
Requires-Dist: yamllint==1.37.1; extra == "test"
Requires-Dist: pytest-cov==6.2.1; extra == "test"
-Requires-Dist: coverage==7.10.6; extra == "test"
+Requires-Dist: coverage==7.13.0; extra == "test"
Requires-Dist: tox~=4.30.1; extra == "test"
Dynamic: license-file
@@ -115,7 +113,7 @@
### Disclaimers
| Disclaimer | Comment |
-| -----------| ------- |
+| ----------- | ------- |
| This tool assumes that one is using GitLab for
[everything](https://about.gitlab.com/blog/2016/03/08/gitlab-tutorial-its-all-connected/)
| <ul><li>For example, the first recommendation ([1.1.1 -
version_control](https://gitlab.com/gitlab-security-oss/cis/gitlabcis/-/blob/main/gitlabcis/recommendations/source_code_1/code_changes_1_1/version_control.yml#L4)):</li><ul><li>_"Ensure
any changes to code are tracked in a version control platform."_</ul><li>Using
GitLab automatically passes this control.</li></ul> |
| This tool cannot audit every recommendation | <ul><li>We have kept a record
of every recommendation that we cannot automate. Review our limitations doc
([docs/limitations.md](https://gitlab.com/gitlab-security-oss/cis/gitlabcis/-/blob/main/docs/limitations.md?ref_type=heads)),
which highlights automation gaps in which a condition cannot confidently be
automated.</li></ul> |
| This tool **does not execute any write operations** on your GitLab instance,
group or project. No write actions are performed. | <ul><li>This tool is
expressly designed to refrain from performing any write operations that
may:</li><ul><li>modify, alter, change, or otherwise impact the configuration,
data, or integrity of your GitLab project</li></ul> <li>ensuring that no
alterations or unauthorized adjustments are made to its state or
contents.</li></ul> |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gitlabcis-1.15.13/gitlabcis.egg-info/requires.txt
new/gitlabcis-1.15.16/gitlabcis.egg-info/requires.txt
--- old/gitlabcis-1.15.13/gitlabcis.egg-info/requires.txt 2025-09-04
06:55:27.000000000 +0200
+++ new/gitlabcis-1.15.16/gitlabcis.egg-info/requires.txt 2025-12-17
02:44:24.000000000 +0100
@@ -1,4 +1,4 @@
-PyYAML==6.0.2
+PyYAML==6.0.3
python-gitlab==6.3.0
tabulate==0.9.0
tqdm==4.67.1
@@ -16,10 +16,10 @@
[test]
pipdeptree==2.28.0
pre-commit~=4.3.0
-pytest==8.4.1
+pytest==8.4.2
flake8~=7.3.0
-bandit==1.8.6
+bandit==1.9.2
yamllint==1.37.1
pytest-cov==6.2.1
-coverage==7.10.6
+coverage==7.13.0
tox~=4.30.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gitlabcis-1.15.13/pyproject.toml
new/gitlabcis-1.15.16/pyproject.toml
--- old/gitlabcis-1.15.13/pyproject.toml 2025-09-04 06:55:18.000000000
+0200
+++ new/gitlabcis-1.15.16/pyproject.toml 2025-12-17 02:44:15.000000000
+0100
@@ -12,8 +12,8 @@
[project]
name = "gitlabcis"
-version = "1.15.13"
-requires-python = ">=3.9"
+version = "1.15.16"
+requires-python = ">=3.10"
description = "An automated tool that assesses the GitLab CIS benchmarks
against a project."
authors = [
{name = "Nate Rosandich", email = "[email protected]"},
@@ -47,8 +47,6 @@
"Operating System :: OS Independent",
"Programming Language :: Python",
"Programming Language :: Python :: 3",
- "Programming Language :: Python :: 3.8",
- "Programming Language :: Python :: 3.9",
"Programming Language :: Python :: 3.10",
"Programming Language :: Python :: 3.11",
"Programming Language :: Python :: 3.12",
@@ -59,7 +57,7 @@
"Topic :: Security"
]
dependencies = [
- "PyYAML == 6.0.2",
+ "PyYAML ==6.0.3",
"python-gitlab ==6.3.0",
"tabulate == 0.9.0",
"tqdm == 4.67.1",
@@ -79,12 +77,12 @@
test = [
"pipdeptree ==2.28.0",
"pre-commit ~=4.3.0",
- "pytest == 8.4.1",
+ "pytest ==8.4.2",
"flake8 ~=7.3.0",
- "bandit ==1.8.6",
+ "bandit ==1.9.2",
"yamllint == 1.37.1",
"pytest-cov == 6.2.1",
- "coverage ==7.10.6",
+ "coverage ==7.13.0",
"tox ~=4.30.1"
]
@@ -177,7 +175,7 @@
[tool.tox]
legacy_tox_ini = """
[tox]
- env_list =
py{39,310,311,312,313},flake8,cover,bandit,baseline,yamllint,benchmarks
+ env_list =
py{310,311,312,313,314},flake8,cover,bandit,baseline,yamllint,benchmarks
skip_missing_interpreters = true
[testenv]
