Allow for disabling server TLS certificate verification when making API calls #312
Labels
enhancement
New feature or request
medium priority
This should be addressed soon
needs triage
Used to indicate that an issue hasn't been reviewed
Overview
Is your feature request related to a problem? Please describe.
This feature request came out of the Phylum Discord. The suggestion was due to a self-hosted GitLab instance that was refusing internal API requests from the runners where the
phylum-ci
GitLab CI integration was running:The assumption is that the self-hosted GitLab instance is using self-signed certificates and the runner where the
phylum-ci
image is executed is not able to verify those certificates. Bypassing the verification in this situation would allow for notes to continue to be read and written to the merge request.Describe the solution you'd like
Provide an ability to bypass server TLS certificate verification in the CI integrations. This should be specifically for connections to internal, self-hosted CI instances (e.g., GitLab EE) and not for all connections (e.g., to Phylum).
Describe alternatives you've considered
None at this time.
Additional context
This may be better implemented with a custom environment variable and not with a new CLI flag. That way, it won't show up in the help output and it's use will have to be more intentional since bypassing security checks is not something to be done without understanding the consequences. If so, advertise the existence of this feature in documentation.
Acceptance criteria
The text was updated successfully, but these errors were encountered: