Make SAST (with DinD) compatible with Maven private dependencies
Problem to solve
Some projects have dependencies that are hosted in a private repo. We don't currently have a way, or at least a documented way, of propagating authentication into the SAST container and to make them used by the analyzing command.
Intended users
Persona: Software developer Persona: DevOps Engineer
Proposal
Generate a .env
file with the full list of environment variables from the outer Docker container before launching the inner container for analysis, and ensure that docker run
loads that file. (It should do this automatically.) This will allow users to propagate credentials for private repositories into the analysis container.
This will also let us remove the long list of environment variables we are currently passing into the inner container manually.
Documentation
Add a note to our documentation on SAST environment variables.
What does success look like, and how can we measure that?
- all or most supported languages have a way to support private dependencies
What is the type of buyer?
Links / references
Here's another issue where we're trying to support private Maven dependencies in SAST: https://gitlab.com/gitlab-org/gitlab-ee/issues/6711