Why do you need docker executor in Gitlab SAST and DAST

Gitlab EE Gold version has multiple security features (SAST, DAST, Dependeny checking, API Fuzzing, …)

For all of these, it says it needs Docker executor. Does it mean for every security job, it will go out and download docker images of security tools on the internet ?

For instance https://docs.gitlab.com/ee/user/application_security/sast/index.html#requirements

Good question, @tojoh147!

You do in fact need the docker (or kubernetes) executor for gitlab-runner to use these features on a self-managed installation of GitLab.

For GitLab.com, CI jobs will run using GitLab provided Shared Runners that can run SAST, DAST, or any CI job without needing to set up a dedicated runner.

The Docker executor when used with GitLab CI, connects to Docker Engine and runs each CI job in a separate and isolated container using the predefined image that is set up in .gitlab-ci.yml

As such, each security scanner or analyzer is provided in an official GitLab docker image that includes all the dependencies needed to execute that particular security scan (with source code available and docker images available at registry.gitlab.com for the projects in gitlab-org/security-products or gitlab-org/security-products/analyzers).

To better understand how docker images are used in GitLab Secure CI jobs, I find browsing the SAST CI template https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml to be helpful (note that each *-sast scanner uses a separate docker image).