Run DAST in an offline environment
For self-managed GitLab instances in an environment with limited, restricted, or intermittent access to external resources through the internet, some adjustments are required for the DAST job to successfully run. For more information, see Offline environments.
Requirements for offline DAST support
To use DAST in an offline environment, you need:
- GitLab Runner with the
- Docker Container Registry with a locally available copy of the DAST container image, found in the DAST container registry.
Note that GitLab Runner has a default
pull policy of
meaning the runner tries to pull Docker images from the GitLab container registry even if a local
copy is available. The GitLab Runner
pull_policy can be set to
in an offline environment if you prefer using only locally available Docker images. However, we
recommend keeping the pull policy setting to
always if not in an offline environment, as this
enables the use of updated scanners in your CI/CD pipelines.
Make GitLab DAST analyzer images available inside your Docker registry
For DAST, import the following default DAST analyzer image from
registry.gitlab.com to your local Docker container registry:
The process for importing Docker images into a local offline Docker registry depends on your network security policy. Please consult your IT staff to find an accepted and approved process by which external resources can be imported or temporarily accessed. These scanners are periodically updated with new definitions, and you may be able to make occasional updates on your own.
Set DAST CI/CD job variables to use local DAST analyzers
Add the following configuration to your
.gitlab-ci.yml file. You must replace
image to refer to
the DAST Docker image hosted on your local Docker container registry:
include: - template: DAST.gitlab-ci.yml dast: image: registry.example.com/namespace/dast:latest
The DAST job should now use local copies of the DAST analyzers to scan your code and generate security reports without requiring internet access.
Alternatively, you can use the CI/CD variable
SECURE_ANALYZERS_PREFIX to override the base registry address of the