Good question, @tojoh147!
You do in fact need the docker (or kubernetes) executor for
gitlab-runner to use these features on a self-managed installation of GitLab.
For GitLab.com, CI jobs will run using GitLab provided Shared Runners that can run SAST, DAST, or any CI job without needing to set up a dedicated runner.
The Docker executor when used with GitLab CI, connects to Docker Engine and runs each CI job in a separate and isolated container using the predefined image that is set up in
As such, each security scanner or analyzer is provided in an official GitLab docker image that includes all the dependencies needed to execute that particular security scan (with source code available and docker images available at
registry.gitlab.com for the projects in gitlab-org/security-products or gitlab-org/security-products/analyzers).
To better understand how docker images are used in GitLab Secure CI jobs, I find browsing the SAST CI template https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml to be helpful (note that each
*-sast scanner uses a separate docker image).