diff options
author | Sami Hiltunen <shiltunen@gitlab.com> | 2022-05-19 18:04:24 +0300 |
---|---|---|
committer | Sami Hiltunen <shiltunen@gitlab.com> | 2022-05-25 10:30:04 +0300 |
commit | b1409acd86ab2968e2fd027c57ec237a5f2fc449 (patch) | |
tree | 5c406328f6f77df9e274ea0f87411c4430051f18 | |
parent | 244d701607858ce0c4231eb58a467bbf03d00ce8 (diff) |
Remove build dependency from the gosec-sast job
gosec-sast job moves the GOPATH and the cached modules outside the
project directory as the scan will otherwise also scan through the
sources of all the dependencies. This leads to the runtime of the
scan growing massively. The job is currently dependent on the cache
existing from the build step as it unconditionally moves the cache
folder, failing if it doesn't exist. This commit prevents the job
from failing if the cache didn't extract the modules, breaking the
dependency on the build jobs and adds the missing documentation for
the hack.
-rw-r--r-- | .gitlab-ci.yml | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c965c1352..a9cf877a5 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -289,16 +289,22 @@ dbschema: when: on_failure gosec-sast: - needs: - - job: build - artifacts: false + needs: [] cache: - *cache_go_configuration variables: GOPATH: "/go" before_script: - apk add pkgconfig libgit2-dev gcc libc-dev - - mv .go /go + # Our pipeline places GOPATH to $CI_PROJECT_DIR/.go so it can be cached. + # This causes gosec-sast to find the module cache and scan all the sources of + # the dependencies as well. This makes the scan time grow massively. This is + # avoided by this job moving the GOPATH outside of the project directory along + # with the cached modules if they were successfully extracted. + # + # SAST_EXCLUDED_PATHS is not sufficient as it only filters out the results but + # still performs the expensive scan. + - if [ -d .go ]; then mv .go $GOPATH; fi rules: - if: $SAST_DISABLED when: never |