feat: git plugin - option to limit depth of historical scans (#118)

Closes #94 - add the `depth` field to the `GitPlugin` struct - add the `depth` option to the git plugin command - create a function called `buildScanOptions` to generate a string of scanning options for the _gitleaks_ `GitLog` function - by default, _gitleaks_ `GitLog` function scans using `--full-history` and `--all` options (see: https://github.com/gitleaks/gitleaks/blob/master/detect/git/git.go#L44). The reason these options are embedded in `buildScanOptions` is to maintain this behavior - tested manually **Proposed Changes** - feat: add `--depth <number>` option to git plugin command **Additional Considerations** - `GitLog` `--all` option scans the entire repo (including all branches). users may prefer to scan only a specific branch instead of the entire repository. - Not directly related, but the current behavior of the git plugin is to skip deleted files (https://github.com/Checkmarx/2ms/blob/master/plugins/git.go#L48). In case there is an unnoticed leak in a deleted file, the secret will still exist in the git history and will be missed. I submit this contribution under the Apache-2.0 license. --------- Co-authored-by: Jossef Harush Kadouri <[email protected]> Co-authored-by: Baruch Odem (Rothkoff) <[email protected]> Co-authored-by: Baruch Odem (Rothkoff) <[email protected]>
Checkmarx · Jun 29, 2023 · 514e07a · 514e07a
1 parent 246e502
commit 514e07a
Showing 1 changed file with 25 additions and 4 deletions.
diff --git a/plugins/git.go b/plugins/git.go
@@ -3,16 +3,24 @@ package plugins
 import (
 	"fmt"
 	"os"
+	"strings"
 
 	"github.com/gitleaks/go-gitdiff/gitdiff"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"github.com/zricethezav/gitleaks/v8/detect/git"
 )
 
+const (
+	argDepth           = "depth"
+	argScanAllBranches = "all-branches"
+)
+
 type GitPlugin struct {
 	Plugin
 	Channels
+	depth           int
+	scanAllBranches bool
 }
 
 func (p *GitPlugin) GetName() string {
@@ -29,15 +37,28 @@ func (p *GitPlugin) DefineCommand(channels Channels) (*cobra.Command, error) {
 		Args:  cobra.MatchAll(cobra.ExactArgs(1), validGitRepoArgs),
 		Run: func(cmd *cobra.Command, args []string) {
 			log.Info().Msg("Git plugin started")
-			scanGit(args[0], channels.Items, channels.Errors)
+			scanGit(args[0], p.buildScanOptions(), channels.Items, channels.Errors)
 		},
 	}
-
+	flags := command.Flags()
+	flags.BoolVar(&p.scanAllBranches, argScanAllBranches, false, "scan all branches [default: false]")
+	flags.IntVar(&p.depth, argDepth, 0, "number of commits to scan from HEAD")
 	return command, nil
 }
 
-func scanGit(path string, itemsChan chan Item, errChan chan error) {
-	fileChan, err := git.GitLog(path, "")
+func (p *GitPlugin) buildScanOptions() string {
+	options := []string{"--full-history"}
+	if p.scanAllBranches {
+		options = append(options, "--all")
+	}
+	if p.depth > 0 {
+		options = append(options, fmt.Sprintf("-n %d", p.depth))
+	}
+	return strings.Join(options, " ")
+}
+
+func scanGit(path string, scanOptions string, itemsChan chan Item, errChan chan error) {
+	fileChan, err := git.GitLog(path, scanOptions)
 	if err != nil {
 		errChan <- fmt.Errorf("error while scanning git repository: %w", err)
 	}