feat: git plugin - option to limit depth of historical scans #118
Conversation
plugins/git.go
Outdated
| func (p *GitPlugin) buildScanOptions() string { | ||
| options := "" | ||
| if p.Depth > 0 { | ||
| options = fmt.Sprintf("--full-history --all -n %d", p.Depth) |
There was a problem hiding this comment.
| options = fmt.Sprintf("--full-history --all -n %d", p.Depth) | |
| options = fmt.Sprintf("-n %d", p.Depth) |
There was a problem hiding this comment.
only to scan current checked-out branch. can you explain --full-history in this context?
There was a problem hiding this comment.
by default, gitleaks
GitLogfunction scans using--full-historyand--alloptions (see: https://github.com/gitleaks/gitleaks/blob/master/detect/git/git.go#L44). The reason these options are embedded inbuildScanOptionsis to maintain this behavior
From the PR description
There was a problem hiding this comment.
additional info:
https://www.git-scm.com/docs/git-log#Documentation/git-log.txt-Defaultmode history is pruned without --full-history option
I think it makes sense to make --all optional for all usages of this plugin, it will be more consistent and less confusing from the user's perspective.
There was a problem hiding this comment.
ok, thanks for the info. I'm okay with --full-history
regarding --all:
we can have our own version of --all / --all-branches optional arg which will include all commits from all branches.
by default (if not provided) - without --all = only the currently checked-out branch
There was a problem hiding this comment.
- made
--alloptional and updatedbuildScanOptionsfunction - added
scanAllBranchesboolean field toGitPluginstruct - limited the scope of
Depthfield inGitPluginstruct by changing it todepth
…cdsv/2ms into git-plugin-limit-depth-of-scan
plugins/git.go
Outdated
|
|
||
| "github.com/gitleaks/go-gitdiff/gitdiff" | ||
| "github.com/rs/zerolog/log" | ||
| "github.com/spf13/cobra" | ||
| "github.com/zricethezav/gitleaks/v8/detect/git" | ||
| ) | ||
|
|
||
| const ( | ||
| argDepth = "depth" | ||
| argScanAllBranches = "all" |
There was a problem hiding this comment.
Please call it all-branches, otherwise it is not clear all- what?
plugins/git.go
Outdated
| }, | ||
| } | ||
|
|
||
| flags := command.Flags() | ||
| flags.BoolVar(&p.scanAllBranches, argScanAllBranches, false, "scan all branches") |
There was a problem hiding this comment.
Is it will print default: false in the help message?
If not, please add [default: false] to the end of the description.
Co-authored-by: Baruch Odem (Rothkoff) <[email protected]>
Closes #94
depthfield to theGitPluginstructdepthoption to the git plugin commandbuildScanOptionsto generate a string of scanning options for the gitleaksGitLogfunctionGitLogfunction scans using--full-historyand--alloptions (see: https://github.com/gitleaks/gitleaks/blob/master/detect/git/git.go#L44). The reason these options are embedded inbuildScanOptionsis to maintain this behaviorProposed Changes
--depth <number>option to git plugin commandAdditional Considerations
GitLog--alloption scans the entire repo (including all branches). users may prefer to scan only a specific branch instead of the entire repository.I submit this contribution under the Apache-2.0 license.