diff --git a/README.md b/README.md index 7be9e020e039..cadf50c79ff7 100644 --- a/README.md +++ b/README.md @@ -269,9 +269,9 @@ repos: - id: trufflehog name: TruffleHog description: Detect secrets in your data. - entry: bash -c 'trufflehog git file://. --only-verified --fail' + entry: bash -c 'trufflehog git file://. --since-commit main --only-verified --fail' # For running trufflehog in docker, use the following entry instead: - # entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail' + # entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --since-commit main --only-verified --fail' language: system stages: ["commit", "push"] ``` diff --git a/pkg/sources/git/git.go b/pkg/sources/git/git.go index 5098022e86ea..a1bf8883ec51 100644 --- a/pkg/sources/git/git.go +++ b/pkg/sources/git/git.go @@ -335,25 +335,21 @@ func (s *Git) ScanCommits(ctx context.Context, repo *git.Repository, path string urlMetadata := getSafeRemoteURL(repo, "origin") var depth int64 - var reachedBase = false ctx.Logger().V(1).Info("scanning repo", "repo", urlMetadata, "base", scanOptions.BaseHash, "head", scanOptions.HeadHash) for commit := range commitChan { - ctx.Logger().V(5).Info("scanning commit", "commit", commit.Hash, "message", commit.Message) - if scanOptions.MaxDepth > 0 && depth >= scanOptions.MaxDepth { - ctx.Logger().V(1).Info("reached max depth", "depth", depth) - break - } - depth++ - if reachedBase && commit.Hash != scanOptions.BaseHash { - break - } if len(scanOptions.BaseHash) > 0 { if commit.Hash == scanOptions.BaseHash { ctx.Logger().V(1).Info("reached base commit", "commit", commit.Hash) - reachedBase = true + break } } + if scanOptions.MaxDepth > 0 && depth >= scanOptions.MaxDepth { + ctx.Logger().V(1).Info("reached max depth", "depth", depth) + break + } + depth++ + ctx.Logger().V(5).Info("scanning commit", "commit", commit.Hash, "message", commit.Message) for _, diff := range commit.Diffs { if !scanOptions.Filter.Pass(diff.PathB) { continue diff --git a/pkg/sources/git/git_test.go b/pkg/sources/git/git_test.go index e7cd00eac048..662806bfc77b 100644 --- a/pkg/sources/git/git_test.go +++ b/pkg/sources/git/git_test.go @@ -238,25 +238,13 @@ func TestSource_Chunks_Integration(t *testing.T) { name: "remote repo, limited", repoURL: "https://github.com/dustin-decker/secretsandstuff.git", expectedChunkData: map[string]*byteCompare{ - "70001020fab32b1fcf2f1f0e5c66424eae649826-aws": {B: []byte("[default]\naws_access_key_id = AKIAXYZDQCEN4B6JSJQI\naws_secret_access_key = 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\noutput = json\nregion = us-east-2\n")}, - "a6f8aa55736d4a85be31a0048a4607396898647a-bump": {B: []byte("\n\nf\n")}, + "70001020fab32b1fcf2f1f0e5c66424eae649826-aws": {B: []byte("[default]\naws_access_key_id = AKIAXYZDQCEN4B6JSJQI\naws_secret_access_key = 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\noutput = json\nregion = us-east-2\n")}, }, scanOptions: ScanOptions{ HeadHash: "70001020fab32b1fcf2f1f0e5c66424eae649826", BaseHash: "a6f8aa55736d4a85be31a0048a4607396898647a", }, }, - { - name: "remote repo, base ahead of head", - repoURL: "https://github.com/dustin-decker/secretsandstuff.git", - expectedChunkData: map[string]*byteCompare{ - "a6f8aa55736d4a85be31a0048a4607396898647a-bump": {B: []byte("\n\nf\n")}, - }, - scanOptions: ScanOptions{ - HeadHash: "a6f8aa55736d4a85be31a0048a4607396898647a", - BaseHash: "70001020fab32b1fcf2f1f0e5c66424eae649826", - }, - }, { name: "remote repo, main ahead of branch", repoURL: "https://github.com/bill-rich/bad-secrets.git",