Don't scan the --since-commit target

README.md

@@ -269,9 +269,9 @@ repos:
     - id: trufflehog
       name: TruffleHog
       description: Detect secrets in your data.
-      entry: bash -c 'trufflehog git file://. --only-verified --fail'
+      entry: bash -c 'trufflehog git file://. --since-commit main --only-verified --fail'
       # For running trufflehog in docker, use the following entry instead:
-      # entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
+      # entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --since-commit main --only-verified --fail'
       language: system
       stages: ["commit", "push"]
 ```

pkg/sources/git/git.go

@@ -335,25 +335,21 @@ func (s *Git) ScanCommits(ctx context.Context, repo *git.Repository, path string
 	urlMetadata := getSafeRemoteURL(repo, "origin")
 
 	var depth int64
-	var reachedBase = false
 
 	ctx.Logger().V(1).Info("scanning repo", "repo", urlMetadata, "base", scanOptions.BaseHash, "head", scanOptions.HeadHash)
 	for commit := range commitChan {
-		ctx.Logger().V(5).Info("scanning commit", "commit", commit.Hash, "message", commit.Message)
-		if scanOptions.MaxDepth > 0 && depth >= scanOptions.MaxDepth {
-			ctx.Logger().V(1).Info("reached max depth", "depth", depth)
-			break
-		}
-		depth++
-		if reachedBase && commit.Hash != scanOptions.BaseHash {
-			break
-		}
 		if len(scanOptions.BaseHash) > 0 {
 			if commit.Hash == scanOptions.BaseHash {
 				ctx.Logger().V(1).Info("reached base commit", "commit", commit.Hash)
-				reachedBase = true
+				break
 			}
 		}
+		if scanOptions.MaxDepth > 0 && depth >= scanOptions.MaxDepth {
+			ctx.Logger().V(1).Info("reached max depth", "depth", depth)
+			break
+		}
+		depth++
+		ctx.Logger().V(5).Info("scanning commit", "commit", commit.Hash, "message", commit.Message)
 		for _, diff := range commit.Diffs {
 			if !scanOptions.Filter.Pass(diff.PathB) {
 				continue

pkg/sources/git/git_test.go

@@ -238,25 +238,13 @@ func TestSource_Chunks_Integration(t *testing.T) {
 			name:    "remote repo, limited",
 			repoURL: "https://github.com/dustin-decker/secretsandstuff.git",
 			expectedChunkData: map[string]*byteCompare{
-				"70001020fab32b1fcf2f1f0e5c66424eae649826-aws":  {B: []byte("[default]\naws_access_key_id = AKIAXYZDQCEN4B6JSJQI\naws_secret_access_key = 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\noutput = json\nregion = us-east-2\n")},
-				"a6f8aa55736d4a85be31a0048a4607396898647a-bump": {B: []byte("\n\nf\n")},
+				"70001020fab32b1fcf2f1f0e5c66424eae649826-aws": {B: []byte("[default]\naws_access_key_id = AKIAXYZDQCEN4B6JSJQI\naws_secret_access_key = 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\noutput = json\nregion = us-east-2\n")},
 			},
 			scanOptions: ScanOptions{
 				HeadHash: "70001020fab32b1fcf2f1f0e5c66424eae649826",
 				BaseHash: "a6f8aa55736d4a85be31a0048a4607396898647a",
 			},
 		},
-		{
-			name:    "remote repo, base ahead of head",
-			repoURL: "https://github.com/dustin-decker/secretsandstuff.git",
-			expectedChunkData: map[string]*byteCompare{
-				"a6f8aa55736d4a85be31a0048a4607396898647a-bump": {B: []byte("\n\nf\n")},
-			},
-			scanOptions: ScanOptions{
-				HeadHash: "a6f8aa55736d4a85be31a0048a4607396898647a",
-				BaseHash: "70001020fab32b1fcf2f1f0e5c66424eae649826",
-			},
-		},
 		{
 			name:    "remote repo, main ahead of branch",
 			repoURL: "https://github.com/bill-rich/bad-secrets.git",