Document steps to run offline SAST for self-hosted instances
Problem to solve
Our ~"sast" tools currently require internet connectivity to run using standard configurations. We should aim to provide clear documentation on how to configure scanners for offline runs.
Intended users
Persona: Software developer Persona: Development Team Lead
Further details
We will verify testing does not come up with any SAST scans that do not work, with the documented work arounds, offline.
Proposal
This is currently possible and supported with our ~sast tools but requires custom configuration. We should improve the documentation around this setup to make it easier for our customers to set this up themselves.
Permissions and Security
no changes
Documentation
To document:
-
how to create a CI config based on SAST vendored template and specify a sast
image from local Docker registry in thescript
section -
how to leverage SAST_ANALYZER_IMAGE_PREFIX
to fetch the analyzers' images from a local registry -
How many separate analyzer images are required for full functionality offline? -
Is there a list of all the required analyzer images (full list and per language)? -
How can a customer pull or build all required images and push them to the registry of an air-gapped machine? (Maybe a script (in Ruby) can be handy for making this a one-off action.) !27535 (merged)
Testing
Verify with documented work around all SAST scanners work. If any do not work make specific issues to work that problem.
What does success look like, and how can we measure that?
all sast scans can be run offline after following the documentation.
What is the type of buyer?
Links / references
Original Description.
Problem to solve
For our security scanning templated jobs such as Sast we use an image from GitLab.com registry inside of the script
which forces the user to download images from the internet, which in certain environments is not allowed.
Examples:
Intended users
- Sasha (Software Developer) which works on a GitLab instance that is in a closed network which does not have access to the internet.
Further details
https://gitlab.com/gitlab-org/gitlab-ee/issues/11520#note_167683976
Proposal
Allow user to specify which image to use.
Documentation
Update https://gitlab.com/gitlab-org/security-products/sast#settings
Product
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.