The environment variable to disable Gemnasium in Dependency Scanning is not coherent with documentation
Summary
The documentation for dependency scanning mentions an environment variable named DEP_SCAN_DISABLE_REMOTE_CHECKS
in the .gitlab-ci.yml snippet. But the dependency scanning source code recognizes the variable named SAST_DISABLE_REMOTE_CHECKS
Steps to reproduce
Clone https://gitlab.com/gitlab-org/security-products/tests/js-npm and run dependency scanning in it with remote checks explicitely disabled:
git clone https://gitlab.com/gitlab-org/security-products/tests/js-npm
cd js-npm
docker run --env DEP_SCAN_DISABLE_REMOTE_CHECKS=true --volume "$PWD:/code" --volume /var/run/docker.sock:/var/run/docker.sock "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:11-2-stable" /code
What is the current bug behavior?
You will find Gemnasium entries in the displayed report. They shouldn't be there as Gemnasium shouldn't have been ran.
What is the expected correct behavior?
No Gemnasium entries should appear in the report.
Possible fixes
Change variable name in https://gitlab.com/gitlab-org/security-products/dependency-scanning/blob/master/lib/analyze.rb#L18