Document air-gapped (offline) Dependency Scanning for on-prem instances
Problem to solve
Add a new Running Dependency Scanning in an offline air-gapped installation
section to the Dependency Scanning documentation similar to the Container Scanning documentation.
Further details
The following two issues add support for air-gapped usage for Dependency Scanning analyzers:
- Support air-gapped (offline) Dependency Scanning for JavaScript (npm, yarn) through retire.js analyzer
- Air-gapped (offline) support for gemnasium analyzer (Dependency Scanning)
Each of the above issues include the following documentation change requirement:
Make it explicit in the dependency scanning documentation https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html about air-gapped support and how to set it up.
However, it's not currently possible to document how to set up air-gapped (offline) usage for an individual scanner, because the process needs to work for all scanners, which means that it only makes sense to document air-gapped usage after both of the above issues have been completed, which is the purpose of this issue.
Proposal
Once the following issues have been completed:
-
Support air-gapped (offline) Dependency Scanning for JavaScript (npm, yarn) through retire.js analyzer -
Update Dependency Scanning template to allow air-gapped (offline) usage for on-prem instances -
Air-gapped (offline) support for gemnasium analyzer (Dependency Scanning)
We'll need to implement the following changes:
-
Update the Configuring Dependency Scanning section of the Dependency Scanning docs to include information about the newThis no longer necessary now that SECURE_ANALYZERS_PREFIX has been introducedSECURITY_SCANNER_IMAGE_PREFIX
environment variable added by !26145 (merged). -
Add a new Running Dependencing Scanning in an offline air-gapped installation
section to the Dependency Scanning documentation containing something similar to the following:Dependency Scanning can be executed on an offline air-gapped GitLab Ultimate installation using the following process:
-
Host the following Docker images on a local Docker container registry:
- GitLab Dependency Scanning analyzer:
registry.gitlab.com/gitlab-org/security-products/dependency-scanning:12-7-stable
- GitLab retire.js analyzer:
registry.gitlab.com/gitlab-org/security-products/analyzers/retire.js:2
- GitLab bundler-audit analyzer:
registry.gitlab.com/gitlab-org/security-products/analyzers/bundler-audit:2
- GitLab gemnasium analyzer:
registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium
- GitLab Dependency Scanning analyzer:
-
Host the following Retire.js vulnerability data files on an accessible URL such as
http://your.server.address:port/<filename>.json
: -
Host the GitLab gemnasium-db security advisories repository
https://gitlab.com/gitlab-org/security-products/gemnasium-db.git
on an accessible URL such ashttps://local.git.server.address/gemnasium-db.git
-
Override the following variable necessary for gemnasium
GIT_SSL_NO_VERIFY: "true"
-
Host your own private yarn registry
-
Override the Dependency Scanning template in your
.gitlab-ci.yml
file to refer to the locally hosted Docker containers and files:include: - template: Dependency-Scanning.gitlab-ci.yml dependency_scanning: variables: SECURITY_SCANNER_IMAGE_PREFIX: "$CI_REGISTRY/namespace" DS_ANALYZER_IMAGE_PREFIX: "$SECURITY_SCANNER_IMAGE_PREFIX/analyzers" RETIREJS_JS_ADVISORY_DB: http://your.server.address/jsrepository.json RETIREJS_NODE_ADVISORY_DB: http://your.server.address/npmrepository.json GEMNASIUM_DB_REMOTE_URL: "https://your.git.server.address/gemnasium-db.git"
-
-
Reference this new section from Offline environment deployments, Specific scanner instructions
Who can address the issue
Other links/references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.