Clair binary downloaded for every job

Summary

The clair binary is downloaded from GitHub on every container scanning job. The binary should be baked into an image and re-used, not downloaded from a public site on every job.

References:

• https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L41

Steps to reproduce

Run GitLab self-managed in a closed network that does not have internet access. Try to set-up Ultimate to do a security scan in such an environment.

Example Project

Cannot since it is on a closed network

What is the current bug behavior?

Clair binary downloaded every job

What is the expected correct behavior?

Clair binary should be check-summed and only downloaded when different

Relevant logs and/or screenshots

Logs cannot be copied off closed network

Output of checks

Logs cannot be copied off closed network

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info)
Latest Omnibus was used, output cannot be shared due to being on a closed network.

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
Latest Omnibus was used, output cannot be shared due to being on a closed network.
(we will only investigate if the tests are passing)

Possible fixes

• https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L41