Air-gapped (offline) support for bundler-audit analyzer (Dependency Scanning)
Problem to solve
Our bundler-audit analyzer currently requires internet connectivity to run using standard configuration. We should aim to support offline execution and provide clear documentation on how to configure it for such installations.
Update bundler-audit analyzer to use the
BUNDLER_AUDIT_NO_UPDATE(to be defined) env variable (or cli flag) to toggle the corresponding
--updateflag on the bundler-audit cli.
- Update the vendored template Dependency-Scanning.gitlab-ci.yml to pass this variable down from the job to the analyzer
- NO Release Post - epic must first be complete
Permissions and Security
- Add this new option to https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html#available-variables. It might be worth splitting analyzer specific VARS like we've done for SAST: https://docs.gitlab.com/ee/user/application_security/sast/index.html#analyzer-settings
- Make it explicit in the dependency scanning documentation https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html about air-gapped support and how to set it up.
TODO: if not already done, define a proper way to test the air-gapped environment, share it in the parent epic &1359 and try to reuse it across all similar issues as much as possible.
What does success look like, and how can we measure that?
Bundler-Audit analyzer is able to scan a project in an air-gapped environment.