Air-gapped vulnerability analysis and license management for on-prem instances

[Moved to &1359 (closed)]

Description

GitLab integrates a lot of security scans that aim to find vulnerabilities on your software. These scans are performed during the CI/CD pipeline, and they are requiring the runner to be able to reach the internet for a few reasons:

1. access to external Docker images, available on Docker Hub
2. access to external Docker images, available on GitLab.com Container Registry
3. access to Gemnasium services, hosted by GitLab
4. keep vulnerability databases up to date

This works very well on GitLab.com, but not on on-prem installations that don't have access to the internet, or where the access is really limited to a specific set of hosts. In this case the security checks cannot be done.

This applies also to GitLab license management feature.

See also https://gitlab.com/gitlab-org/gitlab-ee/issues/6603.

Proposal

Allow mirroring or downloading of all the needed information for an offline use. Data will be replicated and kept in sync on a separate server, internal to the same network where the runners are, and will provide all the information needed.