Skip to content

GitLab Next

GitLab
GitLab
Closed
Opened by Kevin Chasse@kevinchasseDeveloper5 of 7 tasks completed5/7 tasks

Document steps to run offline SAST for self-hosted instances

Problem to solve

Our ~"sast" tools currently require internet connectivity to run using standard configurations. We should aim to provide clear documentation on how to configure scanners for offline runs.

Intended users

Persona: Software developer Persona: Development Team Lead

Further details

We will verify testing does not come up with any SAST scans that do not work, with the documented work arounds, offline.

Proposal

This is currently possible and supported with our ~sast tools but requires custom configuration. We should improve the documentation around this setup to make it easier for our customers to set this up themselves.

Permissions and Security

no changes

Documentation

To document:

  • how to create a CI config based on SAST vendored template and specify a sast image from local Docker registry in the script section
  • how to leverage SAST_ANALYZER_IMAGE_PREFIX to fetch the analyzers' images from a local registry
  • How many separate analyzer images are required for full functionality offline?
  • Is there a list of all the required analyzer images (full list and per language)?
  • How can a customer pull or build all required images and push them to the registry of an air-gapped machine? (Maybe a script (in Ruby) can be handy for making this a one-off action.) !27535 (merged)

Testing

Verify with documented work around all SAST scanners work. If any do not work make specific issues to work that problem.

What does success look like, and how can we measure that?

all sast scans can be run offline after following the documentation.

What is the type of buyer?

GitLab Ultimate

Links / references

Original Description.

Problem to solve

For our security scanning templated jobs such as Sast we use an image from GitLab.com registry inside of the script which forces the user to download images from the internet, which in certain environments is not allowed.

Examples:

https://gitlab.com/gitlab-org/gitlab-ce/blob/c342c07899ef6637eef7c1df2534f0c5ea67d7bd/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml#L46

Intended users

  • Sasha (Software Developer) which works on a GitLab instance that is in a closed network which does not have access to the internet.

Further details

https://gitlab.com/gitlab-org/gitlab-ee/issues/11520#note_167683976

Proposal

Allow user to specify which image to use.

Documentation

Update https://gitlab.com/gitlab-org/security-products/sast#settings

Product

Edited by Lucas Charles