Make SAST compatible with private dependencies
Problem to solve
Some projects have dependencies that are hosted in a private repo. We don't currently have a way, or at least a documented way, of propagating authentication into the SAST container and to make them used by the analyzing command.
.env file with the full list of environment variables from the outer Docker container before launching the inner container for analysis, and ensure that
docker run loads that file. (It should do this automatically.) This will allow users to propagate credentials for private repositories into the analysis container.
This will also let us remove the long list of environment variables we are currently passing into the inner container manually.
Add a note to our documentation on SAST environment variables.
What does success look like, and how can we measure that?
- all or most supported languages have a way to support private dependencies
What is the type of buyer?
Links / references
Here's another issue where we're trying to support private Maven dependencies in SAST: https://gitlab.com/gitlab-org/gitlab-ee/issues/6711