Problem to solve
Some users need to run our security scans in limited connectivity environments. Currently our retire.js analyzer requires internet connectivity to run using standard configuration. We should aim to support offline execution and provide clear documentation on how to configure it for such installations.
add analyzer variables
RETIRE_JS_JS_ADVISORY_DBto dependency scanning template
update analyzer to pass these vars to
retirejsif present at runtime
- document these variables and how to use them (note both vars are necessary to ensure retirejs doesn't make remote calls)
Permissions and Security
- Make it explicit in the dependency scanning documentation https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html about air-gapped support and how to set it up.
TODO: if not already done, define a proper way to test the air-gapped environment, share it in the parent epic &1359 and try to reuse it across all similar issues as much as possible.
What does success look like, and how can we measure that?
Retire.js analyzer is able to scan a project in an air-gapped environment.
What is the type of buyer?
Links / references
- We will not include a release post until the Epic is complete.