Air-gapped security scans by default
Problem to solve
Air-Gapped networks will be supported in GitLab soon. Instead of seeing this configuration as a special case, I think we should make it the default for every user of our Security features.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Presley (Product Designer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Further details
Supporting Air-gapped networks should not be a burden for our Engineering teams. It's actually a good idea to enable it by default, so that all users share the same configuration and documentation.
Proposal
By enabling air-gapped by default we could:
- Make how the users want to keep their scanners up-to-date more flexible. Where #9725 (closed) would help. A service would be in charge of downloading the image locally.
- Check licenses before allowing to download the images, since it could be handled by a smart proxy hashing and sending a key based on the instance/group license.
- Make the pipeline faster since images are available locally (at least on the same network) already.
- Make runs (jobs in the pipeline) reproducible (if we can control how and when engines+data are downloaded/updated).
- The sync method (either a project with scheduled pipelines, or a service) could also download and store binaries like the ones used in #13477 (closed)
graph TD
A[Air-Gapped] -->|Request updates| B(Sync service)
B --> C{Proxy checking license}
C -->|pulls| D[Analyzer A]
C -->|pulls| E[Analyzer B]
C -->|pulls| F[Analyzer C]This service could be also a simple project available by default in GitLab instances, with a scheduled pipeline to download, tag, and store locally the images. All images would be available in the same namespace. It's quite easy for users to update this schedule to fit their needs.
Permissions and Security
TBD
Documentation
Doc on air-gapped networks is not ready yet. To be updated.
Availability & Testing
Test that the new project is acting as expected, or if it's a service, likewise.
What does success look like, and how can we measure that?
- Same configuration for both air-gapped and regular users.