I need to retrieve repository’s commits via Gitlab API. It’s only in read only.
For the moment, scope read_api is enough.
Is it possible to get the source code of the repository by Gitlab API? If yes, does it exist a mean to block it?
You can access different source code revisions by fetching the Git commit history already. I’m not sure I understand the question on how to block access, can you elaborate in more detail on your use case, please?
1 Like
I develop a tools which uses commit tree to calculate some metrics. For that, I use Gitlab API to retrieve them.
But, sometimes the security department of a company can say: “It’s not possible to use this tool because it can copy the source code of the project”
In this case, I think there are 2 possibilities:
- Self hosted the tool by the company. Like that the tiers can not copy anything
- Find a mean to not have the rights to access source code (it’s my question)
Using the commit tree is like working “raw” on the Git repository and its history, and the content. In this case, I don’t think that there is a way apply different permissions to disallow source code access.
A possible abstraction layer would be adding the metrics natively to GitLab itself, and limit the API endpoint access. (but not sure, recommend to open an issue with a proposal to discuss with engineers)
The preference by security and compliance teams can also be running the tool in-house, and verifying it does not send data out of their network. This is is similar to the requirement to run a self-managed GitLab instance, isolated in a local DMZ, and no internet access (or with proxy and firewall).
2 Likes