Improve support for monorepos when running security scanners

With a git repo that contains multiple projects with the same language, I would like for each of those projects to be scanned for security issues, So that I can use the monorepo pattern while still gaining the benefit of GitLab's security scanners.

I think the main issue that would need to be solved would be to add support for finding multiple projects in https://gitlab.com/gitlab-org/security-products/analyzers/common

This is my first time creating a feature proposal issue. So any help or advice on how to better fill this out would be much appreciated 😄

Problem to solve

Improve support for scanning repos with multiple projects in the same language

Intended users

Sasha (Software Developer)

Further details

For certain languages we scan all applicable files; i.e. checking for the presence of **/*.py. Other languages instead rely on a special project file to detect the base directory and run the scan.

brakeman looks for application.rb and scans location as first applicable project
spotbugs does not support inheritance #24076

Proposal

A. Automatically scan all applicable projects within a repo OR
B. Provide improved documentation on how to configure scanners to scan distinct projects within a single repository

Permissions and Security

No change to permissions

What does success look like, and how can we measure that?

Better out-of-the-box scanning of monorepos

What is the type of buyer?

GitLab Ultimate

Links / references

Edited Oct 20, 2020 by Lucas Charles