CACHE_DIR is be project subdirectory so bandit and other tool recurse into

Describe the bug

The CACHE_DIR is a subdirectory of the project source code.

Expected behavior

When i activate bandit, the default option of bandit in the template is to scan recursively. Bandit should fail only on my source code security issues.

Actual behavior

When i activate bandit, the default option of bandit in the template is to scan recursively. So bandit go into *CACHE_DIR a fire security issues from package like pyaml, ...

This behavior is common for bandit, compile-all, ...

screenshot show bandit go in virtual env in cache

Context & Configuration

The issue was reproduced using:

• Version of the template: 6.4.1
• GitLab server(s): self-managed GitLab Community Edition v16.5.3
• GitLab runner(s): N/A

Here is the .gitlab-ci.yml file:

# included templates
include:
  # Python template
  # https://gitlab.com/to-be-continuous/python
  - project: "to-be-continuous/python"
    ref: "6.4.1"
    file: "templates/gitlab-ci-python.yml"

# your pipeline stages
stages:
  - build
  - test
  - package-build
  - package-test
  - infra
  - deploy
  - acceptance
  - publish
  - infra-prod
  - production

variables:
  # ##
  TZ: Europe/Paris
  # ##

  BANDIT_ENABLED: "true"

possible solution

since we cannot change .cache directory on basis on that code extract

  # Change pip's cache directory to be inside the project directory since we can
  # only cache local items.
  PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
  # Poetry support: force virtualenv not in project dir & use local cache dir
  POETRY_CACHE_DIR: "$CI_PROJECT_DIR/.cache/poetry"
  POETRY_VIRTUALENVS_IN_PROJECT: "false"
  PIPENV_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pipenv"

maybe we need move to source directory to a side directory of .cache and launch tool in it