Fix gosec job reporting thousands of vulnerabilities (!4341) · Merge requests · GitLab.org / gitaly

Philippe Lafoucrière requested to merge fix-security-jobs into master Feb 10, 2022

We're seeing a huge spike of recently created vulnerabilities (please avoid sharing screenshots and metrics in this public MR).

This MR is to avoid the security scanners scanning everything under .go.
This the root cause for the ~14k SAST findings: GOPATH was set to a folder in the working directly to be able to cache it. That's why we're not seeing any cache restore, but instead, gosec is reinstalling all the dependencies again in .go.

With this change, not only we're back to a reasonable 75 SAST findings, and the gosec-sast job now runs in less than 4 minutes instead of 30 minutes.

Edited Feb 22, 2022 by Philippe Lafoucrière

Fix gosec job reporting thousands of vulnerabilities

Merge request reports