Is your feature request related to a problem? Please describe.
We are keeping some of our suppression files in our company internal on-premise version control system, and so far have been using simple URLs for referencing and downloading them during the analysis. This is possible as long as the repository allows public access.
For security reasons we would like to disable all public access even to our internal repositories, though. At the moment it is possible to achieve a retrieval of a suppression file even in that case using username and password, but managing a complete user with credentials is cumbersome just for retrieval of a suppression file.
Our version control system offers the creation of access tokens for repositories, which can then be used in an authorization header to access repository content. This allows to create individual tokens per integration, which is also the recommended way.
Describe the solution you'd like
It would be nice if the utils for downloading suppression files (and the configuration they use) could support either an 'Authorization: Bearer' header or completely freely configurable extra-headers.
I may be able to implement this and create a pull-request if we can align on the functional solution.
Describe alternatives you've considered
- using basic auth with username and password: possible already, but cumbersome in our case
- encoding credentials into the URL somehow: unexpected and somewhat "hacky"
Additional context
(none)
Is your feature request related to a problem? Please describe.
We are keeping some of our suppression files in our company internal on-premise version control system, and so far have been using simple URLs for referencing and downloading them during the analysis. This is possible as long as the repository allows public access.
For security reasons we would like to disable all public access even to our internal repositories, though. At the moment it is possible to achieve a retrieval of a suppression file even in that case using username and password, but managing a complete user with credentials is cumbersome just for retrieval of a suppression file.
Our version control system offers the creation of access tokens for repositories, which can then be used in an authorization header to access repository content. This allows to create individual tokens per integration, which is also the recommended way.
Describe the solution you'd like
It would be nice if the utils for downloading suppression files (and the configuration they use) could support either an 'Authorization: Bearer' header or completely freely configurable extra-headers.
I may be able to implement this and create a pull-request if we can align on the functional solution.
Describe alternatives you've considered
Additional context
(none)