Document air-gapped (offline) Dependency Scanning for on-prem instances

Problem to solve

Add a new Running Dependency Scanning in an offline air-gapped installation section to the Dependency Scanning documentation similar to the Container Scanning documentation.

Further details

The following two issues add support for air-gapped usage for Dependency Scanning analyzers:

Support air-gapped (offline) Dependency Scanning for JavaScript (npm, yarn) through retire.js analyzer
Air-gapped (offline) support for gemnasium analyzer (Dependency Scanning)

Each of the above issues include the following documentation change requirement:

Make it explicit in the dependency scanning documentation https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html about air-gapped support and how to set it up.

However, it's not currently possible to document how to set up air-gapped (offline) usage for an individual scanner, because the process needs to work for all scanners, which means that it only makes sense to document air-gapped usage after both of the above issues have been completed, which is the purpose of this issue.

Proposal

Once the following issues have been completed:

We'll need to implement the following changes:

~~Update the Configuring Dependency Scanning section of the Dependency Scanning docs to include information about the new SECURITY_SCANNER_IMAGE_PREFIX environment variable added by !26145 (merged).~~ This no longer necessary now that SECURE_ANALYZERS_PREFIX has been introduced
Add a new Running Dependencing Scanning in an offline air-gapped installation section to the Dependency Scanning documentation containing something similar to the following:
Running Dependency Scanning in an offline air-gapped installation

Dependency Scanning can be executed on an offline air-gapped GitLab Ultimate installation using the following process:
1. Host the following Docker images on a local Docker container registry:
  - GitLab Dependency Scanning analyzer: registry.gitlab.com/gitlab-org/security-products/dependency-scanning:12-7-stable
  - GitLab retire.js analyzer: registry.gitlab.com/gitlab-org/security-products/analyzers/retire.js:2
  - GitLab bundler-audit analyzer: registry.gitlab.com/gitlab-org/security-products/analyzers/bundler-audit:2
  - GitLab gemnasium analyzer: registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium
2. Host the following Retire.js vulnerability data files on an accessible URL such as http://your.server.address:port/<filename>.json:
  - jsrepository.json
  - npmrepository.json
3. Host the GitLab gemnasium-db security advisories repository https://gitlab.com/gitlab-org/security-products/gemnasium-db.git on an accessible URL such as https://local.git.server.address/gemnasium-db.git
4. Override the following variable necessary for gemnasium GIT_SSL_NO_VERIFY: "true"
5. Host your own private yarn registry
6. Override the Dependency Scanning template in your .gitlab-ci.yml file to refer to the locally hosted Docker containers and files:
```
include:
  - template: Dependency-Scanning.gitlab-ci.yml

dependency_scanning:
  variables:
    SECURITY_SCANNER_IMAGE_PREFIX: "$CI_REGISTRY/namespace"
    DS_ANALYZER_IMAGE_PREFIX: "$SECURITY_SCANNER_IMAGE_PREFIX/analyzers"
    RETIREJS_JS_ADVISORY_DB: http://your.server.address/jsrepository.json
    RETIREJS_NODE_ADVISORY_DB: http://your.server.address/npmrepository.json
    GEMNASIUM_DB_REMOTE_URL: "https://your.git.server.address/gemnasium-db.git"
```
Reference this new section from Offline environment deployments, Specific scanner instructions

Who can address the issue

groupcomposition analysis

Document air-gapped (offline) Dependency Scanning for on-prem instances

Problem to solve

Further details

Proposal

Running Dependency Scanning in an offline air-gapped installation

Who can address the issue

Other links/references