✈️ Introduction
In high-security environments — defense, pharma, and banking — DevOps pipelines often run in air-gapped networks where internet access is restricted or completely blocked.
Yet these organizations still need continuous integration, delivery, and container management with the same speed and compliance as open environments.
So the question is:
💭 Can you build a fast, modern CI/CD pipeline without internet access?
Absolutely — if you design it right.
In this post, we’ll dive deep into how to architect an air-gapped DevOps pipeline, covering:
- 🔒 How to operate CI/CD tools offline (SonarQube, NexusIQ, Jenkins, Harbor)
- ⚙️ How to sync and mirror dependencies securely
- 🧩 A diagram showing air-gapped data flow
- 🧠 Design principles for performance and compliance
🧱 What Is an Air-Gapped DevOps Environment?
An air-gapped setup is an isolated network — physically or logically disconnected from the public internet.
Such environments are common in:
- 🪖 Defense and Government — classified networks
- 💊 Pharma and Healthcare — data sovereignty and FDA compliance
- 💰 Banking and Finance — internal risk isolation
The key design challenge: how do you keep your toolchain updated, build containers, and scan code without ever reaching out to the internet?
🏗️ Air-Gapped DevOps Architecture Overview
Here’s the logical flow of an air-gapped CI/CD setup:
[ Developer Workstation ]
|
v
[ Internal Git Server ] --> [ Jenkins (CI/CD) ]
| |
| v
| [ Local Container Registry (Harbor/Artifactory) ]
| |
| v
| [ SonarQube | NexusIQ (Offline Scanners) ]
| |
v v
[ Staging/Prod Clusters (Kubernetes/VM) ] <----> [ Security & Compliance Vaults ]
💡 No direct internet connection: All dependencies are fetched from mirror servers updated through controlled imports (USB, bastion, or DMZ transfer).
⚙️ Components of an Air-Gapped Pipeline
1. Jenkins or GitLab CI for Build & Deploy
Jenkins remains a reliable choice in air-gapped CI/CD setups.
- Install Jenkins LTS offline using
.warfiles. - Maintain plugin updates via internal plugin mirrors.
- Use shared libraries stored in Git.
🧩 Tip: Maintain a “plugin mirror job” in a connected network to fetch latest .hpi files and push them into a transfer bundle weekly.
2. Offline Code Scanning: SonarQube & NexusIQ
Security and code quality don’t stop just because you’re offline.
🧠 SonarQube Offline Setup
- Download SonarQube
.zipand plugins in a connected environment. - Sync plugin updates manually via USB or SFTP.
- Use a local PostgreSQL for persistence.
- Enable LDAP/AD integration for access control.
🧩 NexusIQ (Sonatype)
- Host a local IQ Server for SCA scans.
- Mirror dependency databases (Maven Central, npm, PyPI) to your internal Nexus Repository Manager.
- Schedule controlled update windows via DMZ zone for vulnerability database syncs.
3. Local Artifact & Container Registry (Harbor or Artifactory)
Your local registry is the heart of your air-gapped CI/CD.
| Feature | Harbor | Artifactory |
|---|---|---|
| Container image storage | ✅ | ✅ |
| Helm charts | ✅ | ✅ |
| Vulnerability scanning | Trivy integration | Xray integration |
| Replication (mirror from DMZ) | ✅ | ✅ |
| RBAC & audit logs | ✅ | ✅ |
Key design:
- Mirror official container images via a staging mirror node in a semi-connected network.
- Scan incoming images before importing to air-gap.
- Tag approved base images (
base/java:approved-v1,base/node:approved-v3).
4. Dependency Mirroring
| Source | Mirror Tool | Notes |
|---|---|---|
| Maven Central | Nexus/Artifactory | Mirror .jar artifacts via scheduled imports |
| npm Registry | Verdaccio / Nexus | Local NodeJS package registry |
| PyPI | Devpi | Mirror Python packages |
| Docker Hub | Harbor / Registry | Import pre-scanned base images |
⚙️ Establish a dedicated update pipeline that pulls from the internet (under security review) → signs packages → transfers them to air-gapped infra.
5. CI/CD Flow in an Air-Gapped Network
Let’s visualize the end-to-end workflow 👇
🔄 Diagram: Air-Gapped DevOps Data Flow
[ Developer Commits Code ]
↓
[ Internal Git (Gitea / Bitbucket Server) ]
↓
[ Jenkins Builds & Runs Offline Scans ]
├── SonarQube (Code Quality)
├── NexusIQ (Dependency Scan)
└── Build Container (Harbor Base Image)
↓
[ Push to Harbor Registry ]
↓
[ ArgoCD / Jenkins Deploys to K8s (Offline Cluster) ]
↓
[ Logs & Metrics → Internal ELK / Prometheus ]
🧩 Every dependency and image comes from your local mirrored repositories.
🔐 Security Best Practices
- Enforce Signature Validation
- Sign container images with cosign or Notary.
- Use verified keys before import.
- Centralize Credential Management
- Vault or CyberArk for managing Jenkins secrets and tokens.
- Enable Audit and RBAC
- Restrict registry pushes to CI/CD only.
- Apply read-only roles for developers.
- Automated Scanning Before Import
- Use a connected DMZ pipeline to pre-scan new packages/images before transferring.
- Immutable Infrastructure
- Promote only signed, tested artifacts across environments (dev → stage → prod).
🧩 Tools to Consider
| Function | Air-Gap-Friendly Tools |
|---|---|
| SCM | Gitea, Bitbucket Server |
| CI/CD | Jenkins, GitLab CI |
| Code Quality | SonarQube (offline mode) |
| SCA | NexusIQ, Dependency-Track |
| Registry | Harbor, Artifactory |
| IaC Scanning | Checkov, Terrascan (CLI) |
| Secrets Mgmt | HashiCorp Vault |
| Monitoring | Prometheus + Grafana (offline dashboards) |
💬 Key Message
“Offline doesn’t mean outdated.”
With proper mirroring, scanning, and governance, an air-gapped pipeline can be:
✅ Fast — using internal mirrors and caches.
✅ Compliant — meeting ISO, NIST, and regulatory standards.
✅ Modern — leveraging the same CI/CD patterns, just securely offline.
🧭 Conclusion
Air-gapped doesn’t mean primitive.
By combining mirroring, automation, and strong governance, you can build a DevOps pipeline that’s secure, compliant, and future-proof — even without internet access.
The next generation of defense, healthcare, and finance pipelines will prove one thing:
🚀 Isolation can be innovation — if designed right.