I recently activated DeepSource on a long-running Go project. It took around 8 minutes to finish the first analysis, and then I was shown way more issues than I anticipated. Turns out DeepSource analyzed the dependencies as well.
So, my question is, do we have a nice way to ask DeepSource not to scan dependencies in a Go repo?
The only issue I see with the first approach is, if the user vendors dependencies and wants to analyze vendor directory, there is no way for them to do so.
I did some digging, and it has been a very popular opinion that vendor directory should be ignored when using wildcard matches ...
Besides, vendor directory is meant to store source from external import paths, and, hence, should not be analyzed. We just did some changes to the Go analyzer, and are ignoring vendor directory from our analyses by default from now.
Can we have an option to analyze dependencies? This will be recommended unset by default. A config directive, combined with a checkbox in the config screen for Go analyzer.