Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: git plugin - option to limit depth of historical scans #118

Merged
merged 10 commits into from
Jun 29, 2023
Merged

feat: git plugin - option to limit depth of historical scans #118

Changes from 3 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
2bd6172
add depth option to git plugin
tcdsv Jun 28, 2023
778611b
Merge branch 'master' into git-plugin-limit-depth-of-scan
jossef Jun 28, 2023
7a1b24b
limit depth field scope
tcdsv Jun 28, 2023
6637e56
add --all option to scan all branches
tcdsv Jun 28, 2023
2297445
Merge branch 'master' into git-plugin-limit-depth-of-scan
tcdsv Jun 28, 2023
e5fac38
Merge branch 'git-plugin-limit-depth-of-scan' of https://github.com/t…
tcdsv Jun 28, 2023
2ec9d7e
cleanup
tcdsv Jun 28, 2023
73a892b
improve naming
tcdsv Jun 28, 2023
1f21a73
improve command description
tcdsv Jun 28, 2023
b84808a
Merge branch 'master' into git-plugin-limit-depth-of-scan
Jun 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 18 additions & 4 deletions plugins/git.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,14 @@ import (
"github.com/zricethezav/gitleaks/v8/detect/git"
)

const (
argDepth = "depth"
)

type GitPlugin struct {
Plugin
Channels
Depth int
}

func (p *GitPlugin) GetName() string {
Expand All @@ -29,15 +34,24 @@ func (p *GitPlugin) DefineCommand(channels Channels) (*cobra.Command, error) {
Args: cobra.MatchAll(cobra.ExactArgs(1), validGitRepoArgs),
Run: func(cmd *cobra.Command, args []string) {
log.Info().Msg("Git plugin started")
scanGit(args[0], channels.Items, channels.Errors)
scanGit(args[0], p.buildScanOptions(), channels.Items, channels.Errors)
},
}

flags := command.Flags()
flags.IntVar(&p.Depth, argDepth, 0, "number of commits to scan from HEAD")
return command, nil
}

func scanGit(path string, itemsChan chan Item, errChan chan error) {
fileChan, err := git.GitLog(path, "")
func (p *GitPlugin) buildScanOptions() string {
options := ""
if p.Depth > 0 {
options = fmt.Sprintf("--full-history --all -n %d", p.Depth)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
options = fmt.Sprintf("--full-history --all -n %d", p.Depth)
options = fmt.Sprintf("-n %d", p.Depth)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

only to scan current checked-out branch. can you explain --full-history in this context?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

by default, gitleaks GitLog function scans using --full-history and --all options (see: https://github.com/gitleaks/gitleaks/blob/master/detect/git/git.go#L44). The reason these options are embedded in buildScanOptions is to maintain this behavior

From the PR description

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

additional info:
https://www.git-scm.com/docs/git-log#Documentation/git-log.txt-Defaultmode history is pruned without --full-history option

I think it makes sense to make --all optional for all usages of this plugin, it will be more consistent and less confusing from the user's perspective.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, thanks for the info. I'm okay with --full-history

regarding --all:

we can have our own version of --all / --all-branches optional arg which will include all commits from all branches.
by default (if not provided) - without --all = only the currently checked-out branch

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • made --all optional and updated buildScanOptions function
  • added scanAllBranches boolean field to GitPlugin struct
  • limited the scope of Depth field in GitPlugin struct by changing it to depth

}
return options
}

func scanGit(path string, scanOptions string, itemsChan chan Item, errChan chan error) {
fileChan, err := git.GitLog(path, scanOptions)
if err != nil {
errChan <- fmt.Errorf("error while scanning git repository: %w", err)
}
Expand Down