Replace this template with your information
Describe your question in as much detail as possible:
We have configured Gitlab’s SAST using Gosec on our codebase. The repo in question depends on another repo which is hosted on Gitlab.
When the analyzer runs we see the following output in the pipeline:
$ /analyzer run
[INFO] [Gosec] [2021-11-18T07:01:23Z] ▶ GitLab Gosec analyzer v3.3.4
[INFO] [Gosec] [2021-11-18T07:01:23Z] ▶ Detecting project
[INFO] [Gosec] [2021-11-18T07:01:23Z] ▶ Found relevant files in project, analyzing entire repository
[INFO] [Gosec] [2021-11-18T07:01:23Z] ▶ Running analyzer
[INFO] [Gosec] [2021-11-18T07:01:23Z] ▶ using /go/src/app for the go pkg path
[INFO] [Gosec] [2021-11-18T07:01:23Z] ▶ go modules detected
[INFO] [Gosec] [2021-11-18T07:01:23Z] ▶ Fetching dependencies...
[ERRO] [Gosec] [2021-11-18T07:01:29Z] ▶ /usr/local/go/bin/go get -d ./...
go: gitlab.com/<<OUR PACKAGE>>@v0.0.0-20211019082920-55b7bbb09493: invalid version: git fetch -f origin refs/heads/*:refs/heads/* refs/tags/*:refs/tags/* in /go/pkg/mod/cache/vcs/0c45ae64c036be60fa44fb75fbdc4c24cfdf35a36565ddef911bdef080eac4cd: exit status 128:
fatal: read error: Connection reset by peer
We’ve tried setting Go environment variables for private repos, to no avail - and in any case it looks like the runner just doesn’t have the right permissions to git fetch
.
Does anyone know how we could get it to pull our private repo? We could create a token for the job, but then I’m not sure how go
would know to use it!