SAST should support git url substitution for golang builds
Problem to solve
golang code imports external modules by the repo url; ie:
import (
"https://gitlab.com/path/to/module"
)
If the repo at https://gitlab.com/path/to/module
is private, then go get
needs some credentials to pull it. In general, something like this works:
git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/".insteadOf "https://gitlab.com/"
(or just use cat > $HOME/.gitconfig <<EOF
to produce the equivalent - that avoids needing to install git
)
But SAST starts dind, and then runs a container inside of docker. This means that $HOME/.gitconfig
is not accessible to the sast job. As a result, it cannot pull the dependencies, and it always fails.
Intended users
Developers working with golang that also have private repos.
Further details
SAST provides ways to pass in private repo credentials for other build systems.
Proposal
A very simple possibility: add a volume mount to the SAST job, -v $HOME/.gitconfig:$HOME/.gitconfig
(or equivalent). Then, uses can use before_script
to provide any git url substitutions required.
I'm not sure this is the best UX - it's a little bit tricky and might be hard to troubleshoot. On the flip side, it keeps the current SAST model intact (taking external definitions and passing them in).