Gitlab SAST scan (gosec-sast job) not working with dependent Gitlab-hosted private repos

Replace this template with your information

Describe your question in as much detail as possible:

We have configured Gitlab’s SAST using Gosec on our codebase. The repo in question depends on another repo which is hosted on Gitlab.

When the analyzer runs we see the following output in the pipeline:

$ /analyzer run
[INFO] [Gosec] [2021-11-18T07:01:23Z] ▶ GitLab Gosec analyzer v3.3.4
[INFO] [Gosec] [2021-11-18T07:01:23Z] ▶ Detecting project
[INFO] [Gosec] [2021-11-18T07:01:23Z] ▶ Found relevant files in project, analyzing entire repository
[INFO] [Gosec] [2021-11-18T07:01:23Z] ▶ Running analyzer
[INFO] [Gosec] [2021-11-18T07:01:23Z] ▶ using /go/src/app for the go pkg path
[INFO] [Gosec] [2021-11-18T07:01:23Z] ▶ go modules detected
[INFO] [Gosec] [2021-11-18T07:01:23Z] ▶ Fetching dependencies...
[ERRO] [Gosec] [2021-11-18T07:01:29Z] ▶ /usr/local/go/bin/go get -d ./...
go: gitlab.com/<<OUR PACKAGE>>@v0.0.0-20211019082920-55b7bbb09493: invalid version: git fetch -f origin refs/heads/*:refs/heads/* refs/tags/*:refs/tags/* in /go/pkg/mod/cache/vcs/0c45ae64c036be60fa44fb75fbdc4c24cfdf35a36565ddef911bdef080eac4cd: exit status 128:
	fatal: read error: Connection reset by peer

We’ve tried setting Go environment variables for private repos, to no avail - and in any case it looks like the runner just doesn’t have the right permissions to git fetch.

Does anyone know how we could get it to pull our private repo? We could create a token for the job, but then I’m not sure how go would know to use it!

The workaround is to override the default .sast-analyzer job by adding before_script job as follow: echo -e "[url \"https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/\"]\n\tinsteadOf = https://gitlab.com/" | tee -a ~/.gitconfig

Full override value is below

.sast-analyzer:
  extends: sast
  allow_failure: true
  # `rules` must be overridden explicitly by each child job
  # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
  before_script:
   - echo -e "[url \"https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/\"]\n\tinsteadOf = https://gitlab.com/" | tee -a ~/.gitconfig
  script:
    - /analyzer run