Commit a6e01f4f authored by Sam Kerr's avatar Sam Kerr Committed by Nick Gaskill

Change commit description to appease danger bot

Applied a suggestion
parent 29740479
......@@ -301,25 +301,61 @@ license_scanning:
## Running License Compliance in an offline environment
License Compliance can be executed on an offline GitLab Ultimate installation by using the following
process:
For self-managed GitLab instances in an environment with limited, restricted, or intermittent access
to external resources through the internet, some adjustments are required for the License Compliance job to
successfully run.
1. Host the License Compliance image
`registry.gitlab.com/gitlab-org/security-products/license-management:latest` in your local Docker
container registry.
1. Add the following configuration to your `.gitlab-ci.yml` file. You must replace the value of `image` to refer
to the License Compliance Docker image hosted on your local Docker container registry:
### Requirements for offline License Compliance
```yaml
include:
- template: License-Scanning.gitlab-ci.yml
To use License Compliance in an offline environment, you need:
license_scanning:
image: registry.example.com/namespace/license-management:latest
```
- GitLab Runner with the [`docker` or `kubernetes` executor](#requirements).
- Docker Container Registry with locally available copies of License Compliance [analyzer](https://gitlab.com/gitlab-org/security-products/analyzers) images.
1. Ensure the package registry is reachable from within the GitLab environment and that the package
manager is configured to use your preferred package registry.
NOTE: **Note:**
GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
meaning the runner will try to pull Docker images from the GitLab container registry even if a local
copy is available. GitLab Runner's [`pull_policy` can be set to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy)
in an offline environment if you prefer using only locally available Docker images. However, we
recommend leaving the pull policy set to `always`, as it better enables updated scanners to be used
within your CI/CD pipelines.
### Make GitLab License Compliance analyzer images available inside your Docker registry
For License Compliance with all [supported languages and package managers](#supported-languages-and-package-managers),
import the following default License Compliance analyzer images from `registry.gitlab.com` to your
offline [local Docker container registry](../../packages/container_registry/index.md):
```plaintext
registry.gitlab.com/gitlab-org/security-products/license-management:latest
```
The process for importing Docker images into a local offline Docker registry depends on
**your network security policy**. Please consult your IT staff to find an accepted and approved
process by which external resources can be imported or temporarily accessed. Note that these scanners are [updated periodically](../../application_security/index.md#maintenance-and-update-of-the-vulnerabilities-database)
with new definitions, so consider if you are able to make periodic updates yourself.
For details on saving and transporting Docker images as a file, see Docker's documentation on
[`docker save`](https://docs.docker.com/engine/reference/commandline/save/), [`docker load`](https://docs.docker.com/engine/reference/commandline/load/),
[`docker export`](https://docs.docker.com/engine/reference/commandline/export/), and [`docker import`](https://docs.docker.com/engine/reference/commandline/import/).
### Set License Compliance CI job variables to use local License Compliance analyzers
Override License Compliance environment variables to use to your local container registry
as the source for License Compliance analyzer images.
For example, this assumes a local Docker registry repository of `localhost:5000/analyzers`:
```yaml
include:
- template: License-Scanning.gitlab-ci.yml
license_scanning:
image: localhost:5000/analyzers/license-management:latest
```
The License Compliance job should now use local copies of the License Compliance analyzers to scan
your code and generate security reports, without requiring internet access.
Additional [configuration](#using-private-maven-repos) may be needed for connecting to private Maven
repositories.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment