Offline configuration
- Tier: Ultimate
- Offering: GitLab Self-Managed
For instances in an environment with limited, restricted, or intermittent access to external resources through the internet, some adjustments are required for the DAST job to successfully run. For more information, see Offline environments.
Requirements for offline DAST support
You can use any version of DAST in an offline environment. To do this, you need:
- GitLab Runner with the
docker
orkubernetes
executor. The runner must have network access to the target application. - Docker Container Registry with a locally available copy of the DAST container image, found in the DAST container registry. See Loading Docker images onto your offline host.
GitLab Runner has a default pull policy
of always
,
meaning the runner tries to pull Docker images from the GitLab container registry even if a local
copy is available. The GitLab Runner pull_policy
can be set to if-not-present
in an offline environment if you prefer using only locally available Docker images. However, we
recommend keeping the pull policy setting to always
if not in an offline environment, as this
enables the use of updated scanners in your CI/CD pipelines.
Make GitLab DAST analyzer images available inside your Docker registry
For DAST, import the following default DAST analyzer image from registry.gitlab.com
to your local Docker container registry:
registry.gitlab.com/security-products/dast:latest
The process for importing Docker images into a local offline Docker registry depends on your network security policy. Consult your IT staff to find an accepted and approved process by which external resources can be imported or temporarily accessed. These scanners are periodically updated with new definitions, and you may be able to make occasional updates on your own.
For details on saving and transporting Docker images as a file, see the Docker documentation on
docker save
,
docker load
,
docker export
, and
docker import
.
Set DAST CI/CD job variables to use local DAST analyzers
Add the following configuration to your .gitlab-ci.yml
file. You must replace image
to refer to
the DAST Docker image hosted on your local Docker container registry:
include:
- template: DAST.gitlab-ci.yml
dast:
image: registry.example.com/namespace/dast:latest
The DAST job should now use local copies of the DAST analyzers to scan your code and generate security reports without requiring internet access.
Alternatively, you can use the CI/CD variable SECURE_ANALYZERS_PREFIX
to override the base registry address of the dast
image.
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support