Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-04-14 00:09:57 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-04-14 00:09:57 +0000
commit: 9398d718d92a40a0a917040645a55dea51467a91 (patch)
tree: ce1242c69221f1e6abd701439631cf6e6d1b948d /doc/user
parent: 602ea42669779ec431bcaeb41fd95e079b1a7021 (diff)
download: gitlab-ce-9398d718d92a40a0a917040645a55dea51467a91.tar.gz
3 files changed, 53 insertions, 5 deletions
diff --git a/doc/user/application_security/dast/index.md b/doc/user/application_security/dast/index.md
index c65d6adcff6..57d2a383768 100644
--- a/doc/user/application_security/dast/index.md
+++ b/doc/user/application_security/dast/index.md
@@ -463,10 +463,41 @@ The DAST job does not require the project's repository to be present when runnin
 
 ## Running DAST in an offline environment
 
-DAST can be executed on an offline GitLab Ultimate installation by using the following process:
+For self-managed GitLab instances in an environment with limited, restricted, or intermittent access
+to external resources through the internet, some adjustments are required for the DAST job to
+successfully run. For more information, see [Offline environments](../offline_deployments/index.md).
+
+### Requirements for offline DAST support
+
+To use DAST in an offline environment, you need:
+
+- GitLab Runner with the [`docker` or `kubernetes` executor](#requirements).
+- Docker Container Registry with a locally available copy of the DAST [container image](https://gitlab.com/gitlab-org/security-products/dast), found in the [DAST container registry](https://gitlab.com/gitlab-org/security-products/dast/container_registry).
+
+NOTE: **Note:**
+GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
+meaning the runner may try to pull remote images even if a local copy is available. Set GitLab
+Runner's [`pull_policy` to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy)
+in an offline environment if you prefer using only locally available Docker images.
+
+### Make GitLab DAST analyzer images available inside your Docker registry
+
+For DAST, import the following default DAST analyzer image from `registry.gitlab.com` to your local "offline"
+registry:
+
+- `registry.gitlab.com/gitlab-org/security-products/dast:latest`
+
+The process for importing Docker images into a local offline Docker registry depends on
+**your network security policy**. Please consult your IT staff to find an accepted and approved
+process by which external resources can be imported or temporarily accessed. Note that these scanners are [updated periodically](../index.md#maintenance-and-update-of-the-vulnerabilities-database)
+with new definitions, so consider if you are able to make periodic updates yourself.
+
+For details on saving and transporting Docker images as a file, see Docker's documentation on
+[`docker save`](https://docs.docker.com/engine/reference/commandline/save/), [`docker load`](https://docs.docker.com/engine/reference/commandline/load/),
+[`docker export`](https://docs.docker.com/engine/reference/commandline/export/), and [`docker import`](https://docs.docker.com/engine/reference/commandline/import/).
+
+### Set DAST CI job variables to use local DAST analyzers
 
-1. Host the DAST image `registry.gitlab.com/gitlab-org/security-products/dast:latest` in your local
-   Docker container registry.
 1. Add the following configuration to your `.gitlab-ci.yml` file. You must replace `image` to refer
    to the DAST Docker image hosted on your local Docker container registry:
 
diff --git a/doc/user/project/deploy_tokens/img/deploy_tokens.png b/doc/user/project/deploy_tokens/img/deploy_tokens.png
index 493de8e0fce..afe1dfb922f 100644
--- a/doc/user/project/deploy_tokens/img/deploy_tokens.png
+++ b/doc/user/project/deploy_tokens/img/deploy_tokens.png
diff --git a/doc/user/project/deploy_tokens/index.md b/doc/user/project/deploy_tokens/index.md
index 0bd511cf837..ebb12a6ed5d 100644
--- a/doc/user/project/deploy_tokens/index.md
+++ b/doc/user/project/deploy_tokens/index.md
@@ -2,8 +2,9 @@
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/17894) in GitLab 10.7.
 > - [Moved](https://gitlab.com/gitlab-org/gitlab/issues/199370) from **Settings > Repository** in GitLab 12.9.
+> - [Added `write_registry` scope](https://gitlab.com/gitlab-org/gitlab/-/issues/22743) in GitLab 12.10.
 
-Deploy tokens allow you to download (`git clone`) or read the container registry images of a project without having a user and a password.
+Deploy tokens allow you to download (`git clone`) or push and pull the container registry images of a project without having a user and a password.
 
 Deploy tokens can be managed by [maintainers only](../../permissions.md).
 
@@ -44,6 +45,7 @@ the following table.
 | ----- | ----------- |
 | `read_repository` | Allows read-access to the repository through `git clone` |
 | `read_registry` | Allows read-access to [container registry](../../packages/container_registry/index.md) images if a project is private and authorization is required. |
+| `write_registry` | Allows write-access (push) to [container registry](../../packages/container_registry/index.md). |
 
 ## Deploy token custom username
 
@@ -83,6 +85,21 @@ docker login -u <username> -p <deploy_token> registry.example.com
 Just replace `<username>` and `<deploy_token>` with the proper values. Then you can simply
 pull images from your Container Registry.
 
+### Push Container Registry images
+
+To push the container registry images, you'll need to:
+
+1. Create a Deploy Token with `write_registry` as a scope.
+1. Take note of your `username` and `token`.
+1. Log in to GitLab’s Container Registry using the deploy token:
+
+   ```shell
+   docker login -u <username> -p <deploy_token> registry.example.com
+   ```
+
+Just replace `<username>` and `<deploy_token>` with the proper values. Then you can simply
+push images to your Container Registry.
+
 ### Group Deploy Token
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/21765) in GitLab 12.9.
@@ -107,7 +124,7 @@ There's a special case when it comes to Deploy Tokens. If a user creates one
 named `gitlab-deploy-token`, the username and token of the Deploy Token will be
 automatically exposed to the CI/CD jobs as environment variables: `CI_DEPLOY_USER` and
 `CI_DEPLOY_PASSWORD`, respectively. With the GitLab Deploy Token, the
-`read_registry` scope is implied.
+`read_registry` and `write_registry` scopes are implied.
 
 After you create the token, you can login to the Container Registry using
 those variables:
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-04-14 00:09:57 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-04-14 00:09:57 +0000
commit	9398d718d92a40a0a917040645a55dea51467a91 (patch)
tree	ce1242c69221f1e6abd701439631cf6e6d1b948d /doc/user
parent	602ea42669779ec431bcaeb41fd95e079b1a7021 (diff)
download	gitlab-ce-9398d718d92a40a0a917040645a55dea51467a91.tar.gz