SAST should support git url substitution for golang builds

Problem to solve

golang code imports external modules by the repo url; ie:

import (
   "https://gitlab.com/path/to/module"
)

If the repo at https://gitlab.com/path/to/module is private, then go get needs some credentials to pull it. In general, something like this works:

git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/".insteadOf "https://gitlab.com/"

(or just use cat > $HOME/.gitconfig <<EOF to produce the equivalent - that avoids needing to install git)

But SAST starts dind, and then runs a container inside of docker. This means that $HOME/.gitconfig is not accessible to the sast job. As a result, it cannot pull the dependencies, and it always fails.

Intended users

Developers working with golang that also have private repos.

Further details

SAST provides ways to pass in private repo credentials for other build systems.

Proposal

A very simple possibility: add a volume mount to the SAST job, -v $HOME/.gitconfig:$HOME/.gitconfig (or equivalent). Then, uses can use before_script to provide any git url substitutions required.

I'm not sure this is the best UX - it's a little bit tricky and might be hard to troubleshoot. On the flip side, it keeps the current SAST model intact (taking external definitions and passing them in).