Commit 84ad244c authored by Nick Gaskill's avatar Nick Gaskill

Merge branch 'Secure-offline-scanners-docs' into 'master'

Try to get the offline docs to be similar - Container Scanning

See merge request gitlab-org/gitlab!27468
parents 73f4025c 15bbe1f7
...@@ -212,11 +212,46 @@ If you want to whitelist specific vulnerabilities, you'll need to: ...@@ -212,11 +212,46 @@ If you want to whitelist specific vulnerabilities, you'll need to:
### Running Container Scanning in an offline environment ### Running Container Scanning in an offline environment
Container Scanning can be executed on an offline GitLab Ultimate installation by using the following process: For self-managed GitLab instances in an environment with limited, restricted, or intermittent access
to external resources through the internet, some adjustments are required for the Container Scanning job to
successfully run. For more information, see [Offline environments](../offline_deployments/index.md).
1. Host the following Docker images on a [local Docker container registry](../../packages/container_registry/index.md): #### Requirements for offline Container Scanning
- [arminc/clair-db vulnerabilities database](https://hub.docker.com/r/arminc/clair-db)
- GitLab klar analyzer: `registry.gitlab.com/gitlab-org/security-products/analyzers/klar` To use Container Scanning in an offline environment, you need:
- GitLab Runner with the [`docker` or `kubernetes` executor](#requirements).
- To configure a local Docker Container Registry with copies of the Container Scanning [analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/klar) images, found in the [Container Scanning container registry](https://gitlab.com/gitlab-org/security-products/analyzers/klar/container_registry).
NOTE: **Note:**
GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
meaning the runner may try to pull remote images even if a local copy is available. Set GitLab
Runner's [`pull_policy` to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy)
in an offline environment if you prefer using only locally available Docker images.
#### Make GitLab Container Scanning analyzer images available inside your Docker registry
For Container Scanning, import and host the following images from `registry.gitlab.com` to your
offline [local Docker container registry](../../packages/container_registry/index.md):
- [arminc/clair-db vulnerabilities database](https://hub.docker.com/r/arminc/clair-db)
- GitLab klar analyzer: `registry.gitlab.com/gitlab-org/security-products/analyzers/klar`
The process for importing Docker images into a local offline Docker registry depends on
**your network security policy**. Please consult your IT staff to find an accepted and approved
process by which external resources can be imported or temporarily accessed.
Note that these scanners are [updated periodically](../index.md#maintenance-and-update-of-the-vulnerabilities-database)
with new definitions, so consider if you are able to make periodic updates yourself.
You can read more specific steps on how to do this [below](#automating-container-scanning-vulnerability-database-updates-with-a-pipeline).
For details on saving and transporting Docker images as a file, see Docker's documentation on
[`docker save`](https://docs.docker.com/engine/reference/commandline/save/), [`docker load`](https://docs.docker.com/engine/reference/commandline/load/),
[`docker export`](https://docs.docker.com/engine/reference/commandline/export/), and [`docker import`](https://docs.docker.com/engine/reference/commandline/import/).
#### Set Container Scanning CI job variables to use local Container Scanner analyzers
Container Scanning can be executed on an offline GitLab Ultimate installation using the following process:
1. [Override the container scanning template](#overriding-the-container-scanning-template) in your `.gitlab-ci.yml` file to refer to the Docker images hosted on your local Docker container registry: 1. [Override the container scanning template](#overriding-the-container-scanning-template) in your `.gitlab-ci.yml` file to refer to the Docker images hosted on your local Docker container registry:
...@@ -234,7 +269,12 @@ Container Scanning can be executed on an offline GitLab Ultimate installation by ...@@ -234,7 +269,12 @@ Container Scanning can be executed on an offline GitLab Ultimate installation by
self-signed certificate, then you must set `DOCKER_INSECURE: "true"` in the above self-signed certificate, then you must set `DOCKER_INSECURE: "true"` in the above
`container_scanning` section of your `.gitlab-ci.yml`. `container_scanning` section of your `.gitlab-ci.yml`.
It may be worthwhile to set up a [scheduled pipeline](../../../ci/pipelines/schedules.md) to automatically build a new version of the vulnerabilities database on a preset schedule. You can use the following `.gitlab-yml.ci` as a template: #### Automating Container Scanning vulnerability database updates with a pipeline
It can be worthwhile to set up a [scheduled pipeline](../../../ci/pipelines/schedules.md) to
automatically build a new version of the vulnerabilities database on a preset schedule. Automating
this with a pipeline means you won't have to do it manually each time. You can use the following
`.gitlab-yml.ci` as a template:
```yaml ```yaml
image: docker:stable image: docker:stable
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment