From 514e07aaea1e21fe34ea2775ec196e4dd6509020 Mon Sep 17 00:00:00 2001 From: tcdsv <33223663+tcdsv@users.noreply.github.com> Date: Thu, 29 Jun 2023 08:25:28 +0300 Subject: [PATCH] feat: git plugin - option to limit depth of historical scans (#118) Closes #94 - add the `depth` field to the `GitPlugin` struct - add the `depth` option to the git plugin command - create a function called `buildScanOptions` to generate a string of scanning options for the _gitleaks_ `GitLog` function - by default, _gitleaks_ `GitLog` function scans using `--full-history` and `--all` options (see: https://github.com/gitleaks/gitleaks/blob/master/detect/git/git.go#L44). The reason these options are embedded in `buildScanOptions` is to maintain this behavior - tested manually **Proposed Changes** - feat: add `--depth ` option to git plugin command **Additional Considerations** - `GitLog` `--all` option scans the entire repo (including all branches). users may prefer to scan only a specific branch instead of the entire repository. - Not directly related, but the current behavior of the git plugin is to skip deleted files (https://github.com/Checkmarx/2ms/blob/master/plugins/git.go#L48). In case there is an unnoticed leak in a deleted file, the secret will still exist in the git history and will be missed. I submit this contribution under the Apache-2.0 license. --------- Co-authored-by: Jossef Harush Kadouri Co-authored-by: Baruch Odem (Rothkoff) Co-authored-by: Baruch Odem (Rothkoff) --- plugins/git.go | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/plugins/git.go b/plugins/git.go index 37d7a28c..608b8380 100644 --- a/plugins/git.go +++ b/plugins/git.go @@ -3,6 +3,7 @@ package plugins import ( "fmt" "os" + "strings" "github.com/gitleaks/go-gitdiff/gitdiff" "github.com/rs/zerolog/log" @@ -10,9 +11,16 @@ import ( "github.com/zricethezav/gitleaks/v8/detect/git" ) +const ( + argDepth = "depth" + argScanAllBranches = "all-branches" +) + type GitPlugin struct { Plugin Channels + depth int + scanAllBranches bool } func (p *GitPlugin) GetName() string { @@ -29,15 +37,28 @@ func (p *GitPlugin) DefineCommand(channels Channels) (*cobra.Command, error) { Args: cobra.MatchAll(cobra.ExactArgs(1), validGitRepoArgs), Run: func(cmd *cobra.Command, args []string) { log.Info().Msg("Git plugin started") - scanGit(args[0], channels.Items, channels.Errors) + scanGit(args[0], p.buildScanOptions(), channels.Items, channels.Errors) }, } - + flags := command.Flags() + flags.BoolVar(&p.scanAllBranches, argScanAllBranches, false, "scan all branches [default: false]") + flags.IntVar(&p.depth, argDepth, 0, "number of commits to scan from HEAD") return command, nil } -func scanGit(path string, itemsChan chan Item, errChan chan error) { - fileChan, err := git.GitLog(path, "") +func (p *GitPlugin) buildScanOptions() string { + options := []string{"--full-history"} + if p.scanAllBranches { + options = append(options, "--all") + } + if p.depth > 0 { + options = append(options, fmt.Sprintf("-n %d", p.depth)) + } + return strings.Join(options, " ") +} + +func scanGit(path string, scanOptions string, itemsChan chan Item, errChan chan error) { + fileChan, err := git.GitLog(path, scanOptions) if err != nil { errChan <- fmt.Errorf("error while scanning git repository: %w", err) }