Update Dependency Scanning template to allow air-gapped (offline) usage for on-prem instances
Problem to solve
The Dependency-Scanning.gitlab-ci.yml template file currently hardcodes the dependency scanning Docker image to the GitLab container registry:
docker run \
...
"registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$DS_VERSION" /code
This means that it's not possible to use Dependency Scanning in an air-gapped (offline) on-prem instance, because the template will always attempt to fetch the Docker image from the remote GitLab container registry at registry.gitlab.com
.
In order to support air-gapped (offline) usage, we need to update the Dependency-Scanning.gitlab-ci.yml template file so that the location of this Docker image can be overridden by a variable.
Intended users
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Further details
This change is necessary to allow Dependency Scanning to operate in an air-gapped (offline) installation.
Proposal
Add a new variable SECURITY_SCANNER_IMAGE_PREFIX
to the Dependency-Scanning.gitlab-ci.yml template file to allow overriding the location of the Dependency Scanning Docker container:
variables:
SECURITY_SCANNER_IMAGE_PREFIX: "registry.gitlab.com/gitlab-org/security-products"
DS_ANALYZER_IMAGE_PREFIX: "$SECURITY_SCANNER_IMAGE_PREFIX/analyzers"
docker run \
$(propagate_env_vars \
DS_ANALYZER_IMAGES \
...
BUNDLER_AUDIT_ADVISORY_DB_REF_NAME \
) \
--volume "$PWD:/code" \
--volume /var/run/docker.sock:/var/run/docker.sock \
"$SECURITY_SCANNER_IMAGE_PREFIX/dependency-scanning:$DS_VERSION" /code
Documentation
Documentation will be handled separately
What does success look like, and how can we measure that?
After this change, we should be able to run the Dependency Scanning job using a Dependency Scanning image hosted on a local Docker container registry.
What is the type of buyer?
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.