DevSecOps in Air-Gapped Environments: The CI/CD Survival Guide

The "npm install" Problem

In a standard startup, a developer runs npm install and downloads 500MB of dependencies from the public registry. In a classified facility (SCIF), that command simply hangs. The challenge of DevSecOps in defense is not the code you write, but the code you import.

Architecture: The Low-to-High Transfer

Defense software development typically happens in two zones:

Low Side (Unclassified/Development): Connected to the internet (with restrictions). This is where you fetch dependencies.
High Side (Classified/Production): Physically air-gapped from the Low Side. This is where the software runs.

The bridge between these two is the Data Diode—a hardware device that physically enforces one-way data flow (Low -> High), ensuring absolutely no data can leak out of the classified network.

Survival Strategy 1: Local Dependency Mirrors

You cannot proxy the internet into a SCIF. You must bring the internet's useful parts inside. This requires hosting internal instances of package registries (Artifactory, Nexus, GitLab Packages) on the High Side.

The Sneakernet (or Diode) Pipeline

Fetch: A Low Side automation bot watches package.json or requirements.txt changes.
Download & Scan: It downloads the exact versions and runs SBOM analysis and virus scans.
Transfer: Validated artifacts are written to a "Transfer Appliance" (Diode or controlled USB).
Ingest: A High Side bot reads the artifacts and pushes them to the Internal Registry.

Pro Tip: Never rely on "latest" tags. In air-gapped environments, immutability is key. If you need react@18.2.0, you must explicitly transfer that exact tarball.

Survival Strategy 2: Offline Vulnerability Databases

Tools like Trivy, Grype, or Snyk usually fetch the latest CVE definitions from the web before scanning. This breaks offline.

You must configure your scanners to use an Offline DB.

# Example: Updating Trivy DB in an air-gapped env
# 1. On Low Side: Download the DB
trivy image --download-db-only --db-repository ghcr.io/aquasecurity/trivy-db:2
skopeo copy docker://ghcr.io/aquasecurity/trivy-db:2 oci-archive:trivy-db.tar

# 2. Transfer trivy-db.tar to High Side via Diode

# 3. On High Side: Load and use
trivy image --offline-scan --skip-db-update --image-src my-local-registry/app:latest

Container Hardening: The Scratch Approach

Every byte you transfer across the gap is a liability (and a pain). Huge base images like ubuntu:latest (70MB+) are wasteful.

Adopting Distroless or Scratch images is not just a security best practice; it's an operational necessity.

Smaller Footprint: Faster transfer through the diode.
Fewer Vulnerabilities: No OS package manager means fewer CVEs to flagging during the transfer scan.

Alterra's Platform

We don't just write about this; we build it. Our Defense-Grade Architectures come with pre-configured "Diode-Ready" CI/CD pipelines, ensuring your mission-critical updates flow securely from development to deployment without violating information assurance policies.