SEMGREP for multi module maven java project

:hugs: Please help fill in this template with all the details to help others help you more efficiently. Use formatting blocks for code, config, logs and ensure to remove sensitive data.

Problem to solve

I have a maven multi-module java project and using this template Jobs/SAST.gitlab-ci.yml to use semgrep-sast analysis.

Looking at the job logs, it appears that not all the modules are scanned and that ONLY root project is being scanned.

Sample gitlab-ci.yml file consisting of only 2 jobs


Job 2

Variable defined in the .yml file

Do I need to configure something so that it scans all the modules?? Is it supported, I mean multi module projects?

Is this same as multi-module project??

The semgrep-sast job succeeds but there is no vulnerability in the report.

I also tried dependency scan [Jobs/Dependency-Scanning.gitlab-ci.yml] in the same project and I did notice that it scans all the modules in the project.

What is wrong here? Any help would be highly appreciated. Gone thru so many pages on the internet but no relief.

Note: Using gitlab version 16.x and Java 17