Fix gosec job reporting thousands of vulnerabilities
We're seeing a huge spike of recently created vulnerabilities (please avoid sharing screenshots and metrics in this public MR).
This MR is to avoid the security scanners scanning everything under .go
.
This the root cause for the ~14k SAST findings: GOPATH
was set to a folder in the working directly to be able to cache it. That's why we're not seeing any cache restore, but instead, gosec
is reinstalling all the dependencies again in .go
.
With this change, not only we're back to a reasonable 75 SAST findings, and the gosec-sast
job now runs in less than 4 minutes instead of 30 minutes.
Edited by Philippe Lafoucrière