Configuring CodeArts Security

CodeArts offers various security features, including operational, code, and continuous delivery security. You can configure them as needed while using CodeArts.

Operational Security

CodeArts provides refined permission control, audit, and tracing to help you keep your data assets secure.

**Table 1** Operational security
Security Configuration	Description	Suggestion	Reference
Refined permission control	CodeArts has a three-layer permission model for managing tenant-, project-, and instance-level permissions.	Assign permissions to members by adhering to the principle of least privilege.	CodeArts Authentication
Audit logs	CodeArts services connect to Cloud Trace Service (CTS) to collect, store, and query operation records.	Enable CTS for security analysis, compliance audit, resource tracing, and troubleshooting.	For details about the auditable operations of each service, see: CodeArts Req CodeArts Check CodeArts Build CodeArts Deploy CodeArts Pipeline For details about how to enable CTS, see CTS Overview.
IP address whitelist	CodeArts Repo and CodeArts Artifact allow only whitelisted IP addresses to access data assets such as code and artifacts.	Whitelist trusted IP addresses to prevent unauthorized users and attackers from accessing the system, reducing brute force cracking and DDoS attacks.	Configuring a Code Repo IP Address Whitelist Configuring an Artifact Repo IP Address Whitelist
Watermark	CodeArts Repo allows you to add a visitor watermark to the source code page, enhancing code security and source tracing.	Enable watermarking to protect the intellectual property rights of your code repos.	Adding Watermarks to a Repository

Code Security

CodeArts Repo provides access tokens, deploy keys, and protected branches to safeguard your code assets.

**Table 2** Code security
Security Configuration	Description	Suggestion	Reference
Access tokens	CodeArts Repo allows each user to generate access tokens. Tokens are displayed only when generated. You can set the validity period (max. 1 year) of a token. By default, a token is valid for 1 month.	When granting repo access to a third party, create an access token with a specific validity period. Access tokens prevent account and password disclosure.	Configuring an Access Token
Deploy keys	CodeArts Repo allows you to add deploy keys for each code repo. Users only have read permissions when accessing a repo using a deploy key.	In code repo reading scenarios, such as builds, use a deploy key to clone a repo to improve code repo security.	Configuring a Deploy Key for a Repository
Protected branches	You can set branch protection rules in a code repo to prevent branches from being modified or mis-deleted.	Set a protection rule for the master branch so that code can only be merged into it via merge requests. Only authorized roles can push code to protected branches.	Configuring Protected Branch Rules
Visibility	CodeArts Repo allows you to set the following visibility options for code repos: Private (A repo can only be read, written, and accessed by its members.) Public Read-only for project members Read-only for tenant members Read-only for all visitors	Set the visibility when creating a repo or adjust the visibility for an existing repo to scale to your needs. The administrator can determine whether to allow members to create "Public" code repos.	For details about how to set the visibility of a repo, see Creating a Custom Repository. To set whether to allow members to create "Public" repos, see Adjusting Repository Visibility.
Commit rules	CodeArts Repo control code commits using specific rules. You can use the preconfigured commit rules or create new ones.	Set commit rules for each repo to prevent your code from being modified without permission.	Configuring Commit Rules

Continuous Delivery Security

You can keep continuous delivery secure by setting private parameters and configuring host security groups.

**Table 3** Continuous delivery security
Security Configuration	Description	Suggestion	Reference
Private parameters	CodeArts Build, CodeArts Deploy, CodeArts Pipeline, and CodeArts TestPlan provide private parameter settings. Private parameters are encrypted before storage. They are decrypted before use and are invisible in run logs.	Set parameters that contain sensitive information to private parameters to prevent information leakage.	Configuring Build Parameters Configuring Parameters of an Application Configuring Pipeline Parameters Configuring Sensitive Parameters for Auto API Test Cases
Host security groups	When deploying an application with the official agent pool, you can use a specified IP address to connect CodeArts Deploy to your hosts to run deployment scripts. To connect CodeArts Deploy to your hosts, configure a security group.	Configure a security group that allows target and proxy hosts to communicate with CodeArts Deploy's official agent pool only through its public IP address.	Configuring a Security Group