summaryrefslogtreecommitdiff
path: root/doc/user/application_security
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2020-03-05 09:08:31 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2020-03-05 09:08:31 +0000
commita76d34e6716aa8267111ecdcd21416e9dec3a08d (patch)
tree25876a46afec0af5b0d7168addb45e743d2a2128 /doc/user/application_security
parent00bd11b166a886742f04d38c0d2551e52ff51472 (diff)
downloadgitlab-ce-a76d34e6716aa8267111ecdcd21416e9dec3a08d.tar.gz
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/user/application_security')
-rw-r--r--doc/user/application_security/container_scanning/index.md8
-rw-r--r--doc/user/application_security/sast/index.md71
-rw-r--r--doc/user/application_security/security_dashboard/index.md2
3 files changed, 80 insertions, 1 deletions
diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md
index 0277576c96d..aa7aba97c08 100644
--- a/doc/user/application_security/container_scanning/index.md
+++ b/doc/user/application_security/container_scanning/index.md
@@ -35,6 +35,10 @@ Having an extra job in your pipeline that checks for those vulnerabilities,
and the fact that they are displayed inside a merge request, makes it very easy
to perform audits for your Docker-based apps.
+[//]: # "NOTE: The container scanning tool references the following heading in the code, so if you"
+[//]: # " make a change to this heading, make sure to update the documentation URLs used in the"
+[//]: # " container scanning tool (https://gitlab.com/gitlab-org/security-products/analyzers/klar)"
+
## Requirements
To enable Container Scanning in your pipeline, you need:
@@ -158,6 +162,10 @@ container_scanning:
GIT_STRATEGY: fetch
```
+[//]: # "NOTE: The container scanning tool references the following heading in the code, so if you"
+[//]: # " make a change to this heading, make sure to update the documentation URLs used in the"
+[//]: # " container scanning tool (https://gitlab.com/gitlab-org/security-products/analyzers/klar)"
+
### Available variables
Container Scanning can be [configured](#overriding-the-container-scanning-template)
diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md
index 675fc6c4f2a..9fbbd594cb2 100644
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -476,6 +476,77 @@ Once a vulnerability is found, you can interact with it. Read more on how to
For more information about the vulnerabilities database update, check the
[maintenance table](../index.md#maintenance-and-update-of-the-vulnerabilities-database).
+## GitLab SAST in an offline air-gapped installation
+
+For self-managed GitLab instances in an environment with limited, restricted, or intermittent access
+to external resources via the internet, some adjustments are required for the SAST job to
+successfully run.
+
+### Requirements for offline SAST
+
+To use SAST in an offline environment, you need:
+
+- GitLab Runner with the [`docker` or `kubernetes` executor](#requirements).
+- Docker Container Registry with locally available copies of SAST [analyzer](https://gitlab.com/gitlab-org/security-products/analyzers) images.
+
+NOTE: **Note:**
+GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
+meaning the runner may try to pull remote images even if a local copy is available. Set GitLab
+Runner's [`pull_policy` to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy)
+in an offline environment if you prefer using only locally available Docker images.
+
+### Make GitLab SAST analyzer images available inside your Docker registry
+
+For SAST with all [supported languages and frameworks](#supported-languages-and-frameworks),
+import the following default SAST analyzer images from `registry.gitlab.com` to your local "offline"
+registry:
+
+```
+registry.gitlab.com/gitlab-org/security-products/analyzers/bandit:2
+registry.gitlab.com/gitlab-org/security-products/analyzers/brakeman:2
+registry.gitlab.com/gitlab-org/security-products/analyzers/eslint:2
+registry.gitlab.com/gitlab-org/security-products/analyzers/flawfinder:2
+registry.gitlab.com/gitlab-org/security-products/analyzers/go-ast-scanner:2
+registry.gitlab.com/gitlab-org/security-products/analyzers/gosec:2
+registry.gitlab.com/gitlab-org/security-products/analyzers/kubesec:2
+registry.gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan:2
+registry.gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit:2
+registry.gitlab.com/gitlab-org/security-products/analyzers/pmd-apex:2
+registry.gitlab.com/gitlab-org/security-products/analyzers/secrets:2
+registry.gitlab.com/gitlab-org/security-products/analyzers/security-code-scan:2
+registry.gitlab.com/gitlab-org/security-products/analyzers/sobelow:2
+registry.gitlab.com/gitlab-org/security-products/analyzers/spotbugs:2
+registry.gitlab.com/gitlab-org/security-products/analyzers/tslint:2
+```
+
+The process for importing Docker images into a local offline Docker registry depends on
+**your network security policy**. Please consult your IT staff to find an accepted and approved
+process by which external resources can be imported or temporarily accessed. Note that these scanners are [updated periodically](../index.md#maintenance-and-update-of-the-vulnerabilities-database)
+with new definitions, so consider if you are able to make periodic updates yourself.
+
+For details on saving and transporting Docker images as a file, see Docker's documentation on
+[`docker save`](https://docs.docker.com/engine/reference/commandline/save/), [`docker load`](https://docs.docker.com/engine/reference/commandline/load/),
+[`docker export`](https://docs.docker.com/engine/reference/commandline/export/), and [`docker import`](https://docs.docker.com/engine/reference/commandline/import/).
+
+### Set SAST CI job variables to use local SAST analyzers
+
+[Override SAST environment variables](#customizing-the-sast-settings) to use to your [local container registry](./analyzers.md#using-a-custom-docker-mirror)
+as the source for SAST analyzer images.
+
+For example, assuming a local Docker registry repository of `localhost:5000/analyzers`:
+
+ ```yaml
+include:
+ - template: SAST.gitlab-ci.yml
+
+variables:
+ SAST_ANALYZER_IMAGE_PREFIX: "localhost:5000/analyzers"
+ SAST_DISABLE_DIND: "true"
+ ```
+
+The SAST job should now use local copies of the SAST analyzers to scan your code and generate
+security reports without requiring internet access.
+
## Troubleshooting
### Error response from daemon: error processing tar file: docker-tar: relocation error
diff --git a/doc/user/application_security/security_dashboard/index.md b/doc/user/application_security/security_dashboard/index.md
index a376ac1f26b..4b8c7aaac15 100644
--- a/doc/user/application_security/security_dashboard/index.md
+++ b/doc/user/application_security/security_dashboard/index.md
@@ -26,7 +26,7 @@ The Security Dashboard supports the following reports:
## Requirements
-To use the instance, group, project or pipeline security dashboard:
+To use the instance, group, project, or pipeline security dashboard:
1. At least one project inside a group must be configured with at least one of
the [supported reports](#supported-reports).