I would have thought this would be straightforward, but I can’t figure it out. We have a repository which has a go project that is not in the root of the repo, so the go.mod and all the .go files are nested one directory in. If we pull in the default gosec SAST template into our .gitlab-ci.yml it gets confused because there is no go.mod and tries to find packages in GOPATH etc.
I’ve looked at the Gitlab analyzer wrapper for gosec, and it appears to hardcode
./..., I’m sure I’m missing something, but I can’t see if there’s a way to configure it to run only on a subdirectory.