Add latest changes from gitlab-org/gitlab@master

2 files changed, 65 insertions, 1 deletions

diff --git a/doc/user/application_security/index.md b/doc/user/application_security/index.md
index 3028d575050..8e97427e061 100644
--- a/doc/user/application_security/index.md
+++ b/doc/user/application_security/index.md
@@ -62,7 +62,7 @@ The scanning tools and vulnerabilities database are updated regularly.
 | Secure scanning tool                                         | Vulnerabilities database updates          |
 |:-------------------------------------------------------------|-------------------------------------------|
 | [Container Scanning](container_scanning/index.md)            | Uses `clair`. The latest `clair-db` version is used for each job by running the [`latest` docker image tag](https://gitlab.com/gitlab-org/gitlab/blob/438a0a56dc0882f22bdd82e700554525f552d91b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L37). The `clair-db` database [is updated daily according to the author](https://github.com/arminc/clair-local-scan#clair-server-or-local). |
-| [Dependency Scanning](dependency_scanning/index.md)          | Relies on `bundler-audit` (for Rubygems), `retire.js` (for NPM packages), and `gemnasium` (GitLab's own tool for all libraries). Both `bundler-audit` and `retire.js` fetch their vulnerabilities data from GitHub repositories, so vulnerabilities added to `ruby-advisory-db` and `retire.js` are immediately available. The tools themselves are updated once per month if there's a new version. The [Gemnasium DB](https://gitlab.com/gitlab-org/security-products/gemnasium-db) is updated at least once a week. |
+| [Dependency Scanning](dependency_scanning/index.md)          | Relies on `bundler-audit` (for Rubygems), `retire.js` (for NPM packages), and `gemnasium` (GitLab's own tool for all libraries). Both `bundler-audit` and `retire.js` fetch their vulnerabilities data from GitHub repositories, so vulnerabilities added to `ruby-advisory-db` and `retire.js` are immediately available. The tools themselves are updated once per month if there's a new version. The [Gemnasium DB](https://gitlab.com/gitlab-org/security-products/gemnasium-db) is updated at least once a week. See our [current measurement of time from CVE being issued to our product being updated](https://about.gitlab.com/handbook/engineering/development/performance-indicators/#cve-issue-to-update). |
 | [Dynamic Application Security Testing (DAST)](dast/index.md) | The scanning engine is updated on a periodic basis. See the [version of the underlying tool `zaproxy`](https://gitlab.com/gitlab-org/security-products/dast/blob/master/Dockerfile#L1). The scanning rules are downloaded at scan runtime. |
 | [Static Application Security Testing (SAST)](sast/index.md)  | Relies exclusively on [the tools GitLab wraps](sast/index.md#supported-languages-and-frameworks). The underlying analyzers are updated at least once per month if a relevant update is available. The vulnerabilities database is updated by the upstream tools. |
 
@@ -240,6 +240,15 @@ An approval is optional when a license report:
 - Contains no software license violations.
 - Contains only new licenses that are `approved` or unknown.
 
+## Working in an offline environment
+
+It is possible to run most of the GitLab security scanners when not
+connected to the internet, in what is sometimes known as an offline,
+limited connectivity, Local Area Network (LAN), Intranet, or "air-gap"
+environment.
+
+Read how to [operate the Secure scanners in an offline environment](offline_deployments/index.md).
+
 ## Outdated security reports
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/4913) in GitLab 12.7.
diff --git a/doc/user/application_security/offline_deployments/index.md b/doc/user/application_security/offline_deployments/index.md
new file mode 100644
index 00000000000..f72b632ff82
--- /dev/null
+++ b/doc/user/application_security/offline_deployments/index.md
@@ -0,0 +1,55 @@
+---
+type: reference, howto
+---
+
+# Offline deployments
+
+This document describes how to operate Secure scanners offline.
+
+## Overview
+
+It is possible to run most of the GitLab security scanners when not
+connected to the internet, in what is sometimes known as an offline,
+limited connectivity, Local Area Network (LAN), Intranet, or "air-gap"
+environment.
+
+In this situation, the GitLab instance can be one, or more, servers and services running in a network that can talk to one another, but have zero, or perhaps very restricted access to the internet. Assume anything within the GitLab instance and supporting infrastrusture (private maven repository for example) can be accessed via local network connection. Assume any files from the internet must come in via physical media (USB drive, hard drive).
+
+GitLab scanners generally will connect to the internet to download the
+latest sets of signatures, rules, and patches. A few extra steps are necessary
+to configure the tools to not do this and to still function properly.
+
+### Container registries and package repositories
+
+At a high-level, each of the security analyzers are delivered as Docker
+containers and reference various package repositories. When you run a job on
+an internet-connected GitLab installation, GitLab checks the GitLab.com-hosted
+container registry and package repositories to ensure that you have
+the latest versions.
+
+In an air-gapped environment, this must be disabled so that GitLab.com is not
+queried. Because the GitLab.com registry and repositories are not available,
+you must update each of the scanners to either reference a different,
+internally-hosted registry or provide access to the individual scanner images.
+
+You must also ensure that your app has access to common package repos
+that are not hosted on GitLab.com, such as npm, yarn, or rubygems. Packages
+from these repos can be obtained by temporarily connecting to a network or by
+mirroring the packages inside your own offline network.
+
+### Scanner signature and rule updates
+
+When connected to the internet, some scanners will reference public databases
+for the latest sets of signatures and rules to check against. Without connectivity,
+this is not possible. Depending on the scanner, you must therefore disable
+these automatic update checks and either use the databases that they came
+with or manually update those databases.
+
+## Specific scanner instructions
+
+Each individual scanner may be slightly different than the steps described
+above. You can find more info at each of the pages below:
+
+- [Container scanning offline directions](../container_scanning/index.md#running-container-scanning-in-an-offline-air-gapped-installation)
+- [SAST offline directions](../sast/index.md#gitlab-sast-in-an-offline-air-gapped-installation)
+- [DAST offline directions](../dast/index.md#running-dast-in-an-offline-air-gapped-installation)