Commit 5190aafa authored by Sam Kerr's avatar Sam Kerr Committed by Nick Gaskill

Update docs to be more consistent with respect to offline use cases

This description is hopefully enough to appease danger bot.
parent 89301eef
...@@ -229,25 +229,29 @@ To use Container Scanning in an offline environment, you need: ...@@ -229,25 +229,29 @@ To use Container Scanning in an offline environment, you need:
NOTE: **Note:** NOTE: **Note:**
GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy), GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
meaning the runner may try to pull remote images even if a local copy is available. Set GitLab meaning the Runner tries to pull Docker images from the GitLab container registry even if a local
Runner's [`pull_policy` to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy) copy is available. GitLab Runner's [`pull_policy` can be set to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy)
in an offline environment if you prefer using only locally available Docker images. in an offline environment if you prefer using only locally available Docker images. However, we
recommend keeping the pull policy setting to `always` if not in an offline environment, as this
enables the use of updated scanners in your CI/CD pipelines.
#### Make GitLab Container Scanning analyzer images available inside your Docker registry #### Make GitLab Container Scanning analyzer images available inside your Docker registry
For Container Scanning, import and host the following images from `registry.gitlab.com` to your For Container Scanning, import the following default images from `registry.gitlab.com` into your
offline [local Docker container registry](../../packages/container_registry/index.md): [local Docker container registry](../../packages/container_registry/index.md):
- [arminc/clair-db vulnerabilities database](https://hub.docker.com/r/arminc/clair-db) ```plaintext
- GitLab klar analyzer: `registry.gitlab.com/gitlab-org/security-products/analyzers/klar` registry.gitlab.com/gitlab-org/security-products/analyzers/klar
https://hub.docker.com/r/arminc/clair-db
```
The process for importing Docker images into a local offline Docker registry depends on The process for importing Docker images into a local offline Docker registry depends on
**your network security policy**. Please consult your IT staff to find an accepted and approved **your network security policy**. Please consult your IT staff to find an accepted and approved
process by which external resources can be imported or temporarily accessed. process by which you can import or temporarily access external resources. Note that these scanners
are [updated periodically](../index.md#maintenance-and-update-of-the-vulnerabilities-database)
Note that these scanners are [updated periodically](../index.md#maintenance-and-update-of-the-vulnerabilities-database)
with new definitions, so consider if you are able to make periodic updates yourself. with new definitions, so consider if you are able to make periodic updates yourself.
You can read more specific steps on how to do this [below](#automating-container-scanning-vulnerability-database-updates-with-a-pipeline).
For more information, see [the specific steps on how to update an image with a pipeline](#automating-container-scanning-vulnerability-database-updates-with-a-pipeline).
For details on saving and transporting Docker images as a file, see Docker's documentation on For details on saving and transporting Docker images as a file, see Docker's documentation on
[`docker save`](https://docs.docker.com/engine/reference/commandline/save/), [`docker load`](https://docs.docker.com/engine/reference/commandline/load/), [`docker save`](https://docs.docker.com/engine/reference/commandline/save/), [`docker load`](https://docs.docker.com/engine/reference/commandline/load/),
...@@ -255,8 +259,6 @@ For details on saving and transporting Docker images as a file, see Docker's doc ...@@ -255,8 +259,6 @@ For details on saving and transporting Docker images as a file, see Docker's doc
#### Set Container Scanning CI job variables to use local Container Scanner analyzers #### Set Container Scanning CI job variables to use local Container Scanner analyzers
Container Scanning can be executed on an offline GitLab Ultimate installation using the following process:
1. [Override the container scanning template](#overriding-the-container-scanning-template) in your `.gitlab-ci.yml` file to refer to the Docker images hosted on your local Docker container registry: 1. [Override the container scanning template](#overriding-the-container-scanning-template) in your `.gitlab-ci.yml` file to refer to the Docker images hosted on your local Docker container registry:
```yaml ```yaml
......
...@@ -523,14 +523,15 @@ To use DAST in an offline environment, you need: ...@@ -523,14 +523,15 @@ To use DAST in an offline environment, you need:
NOTE: **Note:** NOTE: **Note:**
GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy), GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
meaning the runner may try to pull remote images even if a local copy is available. Set GitLab meaning the Runner tries to pull Docker images from the GitLab container registry even if a local
Runner's [`pull_policy` to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy) copy is available. GitLab Runner's [`pull_policy` can be set to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy)
in an offline environment if you prefer using only locally available Docker images. in an offline environment if you prefer using only locally available Docker images. However, we
recommend keeping the pull policy setting to `always` if not in an offline environment, as this
enables the use of updated scanners in your CI/CD pipelines.
### Make GitLab DAST analyzer images available inside your Docker registry ### Make GitLab DAST analyzer images available inside your Docker registry
For DAST, import the following default DAST analyzer image from `registry.gitlab.com` to your local "offline" For DAST, import the following default DAST analyzer image from `registry.gitlab.com` to your [local Docker container registry](../../packages/container_registry/index.md):
registry:
- `registry.gitlab.com/gitlab-org/security-products/dast:latest` - `registry.gitlab.com/gitlab-org/security-products/dast:latest`
...@@ -548,16 +549,18 @@ For details on saving and transporting Docker images as a file, see Docker's doc ...@@ -548,16 +549,18 @@ For details on saving and transporting Docker images as a file, see Docker's doc
### Set DAST CI job variables to use local DAST analyzers ### Set DAST CI job variables to use local DAST analyzers
1. Add the following configuration to your `.gitlab-ci.yml` file. You must replace `image` to refer Add the following configuration to your `.gitlab-ci.yml` file. You must replace `image` to refer to
to the DAST Docker image hosted on your local Docker container registry: the DAST Docker image hosted on your local Docker container registry:
```yaml ```yaml
include: include:
- template: DAST.gitlab-ci.yml - template: DAST.gitlab-ci.yml
dast:
dast:
image: registry.example.com/namespace/dast:latest image: registry.example.com/namespace/dast:latest
``` ```
The DAST job should now use local copies of the DAST analyzers to scan your code and generate
security reports without requiring internet access.
## Reports ## Reports
......
...@@ -420,32 +420,33 @@ You can also [submit new vulnerabilities](https://gitlab.com/gitlab-org/security ...@@ -420,32 +420,33 @@ You can also [submit new vulnerabilities](https://gitlab.com/gitlab-org/security
## Running Dependency Scanning in an offline environment ## Running Dependency Scanning in an offline environment
For self-managed GitLab instances in an environment with limited, restricted, or intermittent access For self-managed GitLab instances in an environment with limited, restricted, or intermittent access
to external resources through the internet, some adjustments are required for dependency scanning jobs to run successfully. For more information, see [Offline environments](../offline_deployments/index.md). to external resources through the internet, some adjustments are required for Dependency Scanning
jobs to run successfully. For more information, see [Offline environments](../offline_deployments/index.md).
### Requirements for offline Dependency Scanning ### Requirements for offline Dependency Scanning
The requirements for using Dependency Scanning in an offline environment are: Here are the requirements for using Dependency Scanning in an offline environment:
- [Disable Docker-In-Docker](#disabling-docker-in-docker-for-dependency-scanning). - [Disable Docker-In-Docker](#disabling-docker-in-docker-for-dependency-scanning).
- GitLab Runner with the [`docker` or `kubernetes` executor](#requirements). - GitLab Runner with the [`docker` or `kubernetes` executor](#requirements).
- Docker Container Registry with locally available copies of dependency scanning [analyzer](https://gitlab.com/gitlab-org/security-products/analyzers) images. - Docker Container Registry with locally available copies of Dependency Scanning [analyzer](https://gitlab.com/gitlab-org/security-products/analyzers) images.
- Host an offline Git copy of the [gemnasium-db advisory database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/) - Host an offline Git copy of the [gemnasium-db advisory database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/)
- _Only if scanning Ruby projects_: Host an offline Git copy of the [advisory database](https://github.com/rubysec/ruby-advisory-db). - _Only if scanning Ruby projects_: Host an offline Git copy of the [advisory database](https://github.com/rubysec/ruby-advisory-db).
- _Only if scanning npm/yarn projects_: Host an offline copy of the [retire.js](https://github.com/RetireJS/retire.js/) [node](https://github.com/RetireJS/retire.js/blob/master/repository/npmrepository.json) and [js](https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json) advisory databases. - _Only if scanning npm/yarn projects_: Host an offline copy of the [retire.js](https://github.com/RetireJS/retire.js/) [node](https://github.com/RetireJS/retire.js/blob/master/repository/npmrepository.json) and [js](https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json) advisory databases.
NOTE: **Note:** NOTE: **Note:**
GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy), GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
meaning the runner will try to pull Docker images from the GitLab container registry even if a local meaning the Runner tries to pull Docker images from the GitLab container registry even if a local
copy is available. GitLab Runner's [`pull_policy` can be set to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy) copy is available. GitLab Runner's [`pull_policy` can be set to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy)
in an offline environment, if you prefer using only locally available Docker images. However, we in an offline environment if you prefer using only locally available Docker images. However, we
recommend keeping the pull policy setting to `always` as it will better enable updated scanners to recommend keeping the pull policy setting to `always` if not in an offline environment, as this
be utilized within your CI/CD pipelines. enables the use of updated scanners in your CI/CD pipelines.
### Make GitLab Dependency Scanning analyzer images available inside your Docker registry ### Make GitLab Dependency Scanning analyzer images available inside your Docker registry
For Dependency Scanning, import Docker images ([supported languages and frameworks](#supported-languages-and-package-managers)) For Dependency Scanning with all [supported languages and frameworks](#supported-languages-and-package-managers),
from `registry.gitlab.com` to your offline Docker registry. The Dependency Scanning analyzer import the following default Dependency Scanning analyzer images from `registry.gitlab.com` into
Docker images are: your [local Docker container registry](../../packages/container_registry/index.md):
```plaintext ```plaintext
registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium:2 registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium:2
...@@ -465,10 +466,10 @@ For details on saving and transporting Docker images as a file, see Docker's doc ...@@ -465,10 +466,10 @@ For details on saving and transporting Docker images as a file, see Docker's doc
[`docker save`](https://docs.docker.com/engine/reference/commandline/save/), [`docker load`](https://docs.docker.com/engine/reference/commandline/load/), [`docker save`](https://docs.docker.com/engine/reference/commandline/save/), [`docker load`](https://docs.docker.com/engine/reference/commandline/load/),
[`docker export`](https://docs.docker.com/engine/reference/commandline/export/), and [`docker import`](https://docs.docker.com/engine/reference/commandline/import/). [`docker export`](https://docs.docker.com/engine/reference/commandline/export/), and [`docker import`](https://docs.docker.com/engine/reference/commandline/import/).
### Set Dependency Scanning CI config for "offline" use ### Set Dependency Scanning CI job variables to use local Dependency Scanning analyzers
Below is a general `.gitlab-ci.yml` template to configure your environment for running Add the following configuration to your `.gitlab-ci.yml` file. You must replace
Dependency Scanning offline: `DS_ANALYZER_IMAGE_PREFIX` to refer to your local Docker container registry:
```yaml ```yaml
include: include:
......
...@@ -527,17 +527,17 @@ To use SAST in an offline environment, you need: ...@@ -527,17 +527,17 @@ To use SAST in an offline environment, you need:
NOTE: **Note:** NOTE: **Note:**
GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy), GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
meaning the runner will try to pull Docker images from the GitLab container registry even if a local meaning the Runner tries to pull Docker images from the GitLab container registry even if a local
copy is available. GitLab Runner's [`pull_policy` can be set to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy) copy is available. GitLab Runner's [`pull_policy` can be set to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy)
in an offline environment if you prefer using only locally available Docker images. However, we in an offline environment if you prefer using only locally available Docker images. However, we
recommend keeping the pull policy setting to `always` as it will better enable updated scanners to recommend keeping the pull policy setting to `always` if not in an offline environment, as this
be utilized within your CI/CD pipelines. enables the use of updated scanners in your CI/CD pipelines.
### Make GitLab SAST analyzer images available inside your Docker registry ### Make GitLab SAST analyzer images available inside your Docker registry
For SAST with all [supported languages and frameworks](#supported-languages-and-frameworks), For SAST with all [supported languages and frameworks](#supported-languages-and-frameworks),
import the following default SAST analyzer images from `registry.gitlab.com` to your local "offline" import the following default SAST analyzer images from `registry.gitlab.com` into your
registry: [local Docker container registry](../../packages/container_registry/index.md):
```plaintext ```plaintext
registry.gitlab.com/gitlab-org/security-products/analyzers/bandit:2 registry.gitlab.com/gitlab-org/security-products/analyzers/bandit:2
...@@ -568,10 +568,8 @@ For details on saving and transporting Docker images as a file, see Docker's doc ...@@ -568,10 +568,8 @@ For details on saving and transporting Docker images as a file, see Docker's doc
### Set SAST CI job variables to use local SAST analyzers ### Set SAST CI job variables to use local SAST analyzers
[Override SAST environment variables](#customizing-the-sast-settings) to use to your [local container registry](./analyzers.md#using-a-custom-docker-mirror) Add the following configuration to your `.gitlab-ci.yml` file. You must replace
as the source for SAST analyzer images. `SAST_ANALYZER_IMAGE_PREFIX` to refer to your local Docker container registry:
For example, assuming a local Docker registry repository of `localhost:5000/analyzers`:
```yaml ```yaml
include: include:
......
...@@ -333,7 +333,7 @@ license_scanning: ...@@ -333,7 +333,7 @@ license_scanning:
For self-managed GitLab instances in an environment with limited, restricted, or intermittent access For self-managed GitLab instances in an environment with limited, restricted, or intermittent access
to external resources through the internet, some adjustments are required for the License Compliance job to to external resources through the internet, some adjustments are required for the License Compliance job to
successfully run. successfully run. For more information, see [Offline environments](../../application_security/offline_deployments/index.md).
### Requirements for offline License Compliance ### Requirements for offline License Compliance
...@@ -344,11 +344,11 @@ To use License Compliance in an offline environment, you need: ...@@ -344,11 +344,11 @@ To use License Compliance in an offline environment, you need:
NOTE: **Note:** NOTE: **Note:**
GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy), GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
meaning the runner will try to pull Docker images from the GitLab container registry even if a local meaning the Runner tries to pull Docker images from the GitLab container registry even if a local
copy is available. GitLab Runner's [`pull_policy` can be set to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy) copy is available. GitLab Runner's [`pull_policy` can be set to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy)
in an offline environment if you prefer using only locally available Docker images. However, we in an offline environment if you prefer using only locally available Docker images. However, we
recommend leaving the pull policy set to `always`, as it better enables updated scanners to be used recommend keeping the pull policy setting to `always` if not in an offline environment, as this
within your CI/CD pipelines. enables the use of updated scanners in your CI/CD pipelines.
### Make GitLab License Compliance analyzer images available inside your Docker registry ### Make GitLab License Compliance analyzer images available inside your Docker registry
...@@ -371,10 +371,8 @@ For details on saving and transporting Docker images as a file, see Docker's doc ...@@ -371,10 +371,8 @@ For details on saving and transporting Docker images as a file, see Docker's doc
### Set License Compliance CI job variables to use local License Compliance analyzers ### Set License Compliance CI job variables to use local License Compliance analyzers
Override License Compliance environment variables to use to your local container registry Add the following configuration to your `.gitlab-ci.yml` file. You must replace `image` to refer to
as the source for License Compliance analyzer images. the License Compliance Docker image hosted on your local Docker container registry:
For example, this assumes a local Docker registry repository of `localhost:5000/analyzers`:
```yaml ```yaml
include: include:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment