Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Secure stage Offline Environment functionality demos / 29 May 2020
GitLab / Secure stage Offline Environment functionality demos / 29 May 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Security Scanning features working in offline environments

Description

Kevin Chasse, a Technical Account Manager at GitLab, talks about the features to get GitLab's built-in security scanning features working in an offline environment including the recent deprecation of Docker-in-Docker (DinD) use with the scanning tools.

A

Hello, my name is Kevin Chauncey and I'm, a Technical Account Manager here at gala I'm here to talk to you today about how get labs security scanning features work in offline environments. First, let's define what an offline environments are. Essentially, they are environments where you're get live. Instance cannot reach out to all the resources that it means on the internet.

A

You'll have security scanners by default, reach out to image repositories and other resources on the internet that make the use of them, and they included templates within get line very easy to use when your instance has access to them over the Internet.

A

However, not all installs of get lab have that different cases where this may not be the cases such as completely air-gapped environments, where your network or your environment has no physical access to the internet whatsoever, but also ones where there are limited connectivity may be firewall rules and place or other restrictions put on the network by your organization that you, as a gate, lab administrator, don't have any control over. Also, some intranet environments may also fall into this category.

A

So, basically, any time the get lab cannot reach out to the internet to get the resources it needs to do security scanning these instructions and features will come into play.

A

So this article, we're looking at is part of the documentation suite within get lime comm, and it walks you through these definitions and gives you an overview of how the security scanners work and the kinds of resources they need, such as container industries and package repositories and some of the limitations you may run into even after you've used the features that allow you to overcome the need to have internet-based container registration package repositories.

A

You interact with vulnerabilities or try to use our Auto remediation features they may or may not work depending on the settings within your individual network and then at the bottom. We have our specific scanner, instructions that have links directly to the documents for each of the five different scanners.

A

If we look at just one of these, just to give you an example and then you can look at the rest yourself on your own I'll just show you kind of how these work and the theme behind how you will make changes to your installation to get these to work.

A

So again, we have an overview here on this documentation, page of running in an offline environment. What the requirements are. So in this case you have to have a runner that can use docker kubernetes and you need a local docker container industry that has a copy of our dasa container image, and so there's links to these here that you can get to and download and then manually upload into your local container registry.

A

So here it tells you exactly which docker container you need to get off of get live.com and transfer on to your network, and then it also shows you how you can modify your CI gamma file to use our built-in template and override the image to instead of using the one that is on gitlab comm. It can use any local path to the name of the image.

A

Whatever you have stored it on your local conductance, now some of the changes that we had to do in order to get this working involved, removing of the darker and darker capability, so darker and darker, is the ability to have a docker container than have docker running inside of it to then spin up another docker, and this is a convenient way to do some of these scans so that you can have docker inside of doc.

A

However, when you do this, you make making his work in offline environments even more difficult, and so one of the things that we did it get lab was remove the need or give you a way to not have dr. and effort turned on well as a 13-point. Oh, we now have darn decor disabled by default, so before in in the twelfth of X series, it was enabled by default and now is disabled by default. If you need to enable it there's instructions here and here I'm on the get lab, 30 no release blog.

A

That has a specific section on how we deprecated our dock. So, as a 13 point, oh darn, doctor is now turned off by default and as of 12.10, we have all of all 5 scanners working in some manner for offline with different sets of instructions for the different scanners.

A

Thank you very much not great day you.