Document steps to run offline SAST for self-hosted instances
Problem to solve
Our ~"sast" tools currently require internet connectivity to run using standard configurations. We should aim to provide clear documentation on how to configure scanners for offline runs.
We will verify testing does not come up with any SAST scans that do not work, with the documented work arounds, offline.
This is currently possible and supported with our ~sast tools but requires custom configuration. We should improve the documentation around this setup to make it easier for our customers to set this up themselves.
Permissions and Security
how to create a CI config based on SAST vendored template and specify a
sastimage from local Docker registry in the
how to leverage
SAST_ANALYZER_IMAGE_PREFIXto fetch the analyzers' images from a local registry
- How many separate analyzer images are required for full functionality offline?
- Is there a list of all the required analyzer images (full list and per language)?
- How can a customer pull or build all required images and push them to the registry of an air-gapped machine? (Maybe a script (in Ruby) can be handy for making this a one-off action.) !27535 (merged)
Verify with documented work around all SAST scanners work. If any do not work make specific issues to work that problem.
What does success look like, and how can we measure that?
all sast scans can be run offline after following the documentation.
What is the type of buyer?
Links / references
Problem to solve
For our security scanning templated jobs such as Sast we use an image from GitLab.com registry inside of the
script which forces the user to download images from the internet, which in certain environments is not allowed.
- Sasha (Software Developer) which works on a GitLab instance that is in a closed network which does not have access to the internet.
Allow user to specify which image to use.