Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

git plugin - option to limit depth of historical scans (default all commits) #94

Closed
jossef opened this issue Jun 19, 2023 · 3 comments · Fixed by #118
Closed

git plugin - option to limit depth of historical scans (default all commits) #94

jossef opened this issue Jun 19, 2023 · 3 comments · Fixed by #118
Assignees
@baruchiro @tcdsv
Labels
enhancement New feature or request

Comments

@jossef
Copy link
Member

jossef commented Jun 19, 2023

add a number argument that is going to limit the historical scans when using the git plugin
@jossef jossef added the enhancement New feature or request label Jun 19, 2023
@baruchiro
Copy link
Contributor

@jossef What does this "number" represents?

I think we should use a "range" of time like we do in Discord, or use a counter to limit how many commits we scan, or use a specific commit baseline.

Of course, as we are using the GitLog function from gitleaks, we first need to learn which limitations work with this function.

@tcdsv
Copy link
Contributor

tcdsv commented Jun 26, 2023

I'm working on this issue

@jossef
Copy link
Member Author

jossef commented Jun 26, 2023

@jossef What does this "number" represents?

I think we should use a "range" of time like we do in Discord, or use a counter to limit how many commits we scan, or use a specific commit baseline.

Of course, as we are using the GitLog function from gitleaks, we first need to learn which limitations work with this function.

number = how many commits to go back from HEAD

@tcdsv tcdsv mentioned this issue Jun 28, 2023
Merged
baruchiro added a commit that referenced this issue Jun 29, 2023
@tcdsv @jossef @baruchiro
feat: git plugin - option to limit depth of historical scans (#118)
514e07a 
Closes #94

- add the `depth` field to the `GitPlugin` struct
- add the `depth` option to the git plugin command
- create a function called `buildScanOptions` to generate a string of
scanning options for the _gitleaks_ `GitLog` function
- by default, _gitleaks_ `GitLog` function scans using `--full-history`
and `--all` options (see:
https://github.com/gitleaks/gitleaks/blob/master/detect/git/git.go#L44).
The reason these options are embedded in `buildScanOptions` is to
maintain this behavior
- tested manually

**Proposed Changes**
- feat: add `--depth <number>` option to git plugin command

**Additional Considerations**
- `GitLog` `--all` option scans the entire repo (including all
branches). users may prefer to scan only a specific branch instead of
the entire repository.
- Not directly related, but the current behavior of the git plugin is to
skip deleted files
(https://github.com/Checkmarx/2ms/blob/master/plugins/git.go#L48). In
case there is an unnoticed leak in a deleted file, the secret will still
exist in the git history and will be missed.

I submit this contribution under the Apache-2.0 license.

---------

Co-authored-by: Jossef Harush Kadouri <[email protected]>
Co-authored-by: Baruch Odem (Rothkoff) <[email protected]>
Co-authored-by: Baruch Odem (Rothkoff) <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@baruchiro baruchiro

@tcdsv tcdsv

Labels
enhancement New feature or request
Projects
2ms
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: git plugin - option to limit depth of historical scans tcdsv/2ms
3 participants
@jossef @baruchiro @tcdsv