Ignore some directories not working when analyzer scans the full repo
Description
Due to how they work, some analyzers have an AnalyzeAll
property set to true that allows scanning the full repo when a compatible file has been found in any subtree.
While the ignored dirs are taken into account when searching, if there is a compatible file found anywhere else, the analyzer will run on the full repo tree, including the ignored dirs.
Proposal
- filter out any issue found in a file contained in an ignored dir: this is generic and easy to implement but not optimized. The scanner may unnecessary analyze all the content of
vendor
ornode_module
just to filter out the results. - pass the ignored dirs to the scanner command: this is efficient but unfortunately, we can't ensure all scanner provide such option (we could fallback to proposal 1. for those ones)
- ?
Related Issues
https://gitlab.com/gitlab-org/security-products/sast/issues/47