-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scan GitHub and GitLab refs that aren't cloned by default #1918
base: main
Are you sure you want to change the base?
Conversation
f64e0a3
to
e2fb273
Compare
b2e724c
to
ec2de50
Compare
ec2de50
to
438418c
Compare
438418c
to
7cb8af2
Compare
7cb8af2
to
92c0f83
Compare
956b38d
to
c9a7acd
Compare
c9a7acd
to
9ac8dbe
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is awesome! Just to make sure I understand: This PR has two discrete changes, right? (Pulling down all the refs and printing the source ref of found secrets.)
9ac8dbe
to
d526837
Compare
@rgmz is it theoretically possible to split this work up into two separate changes: One that clones using |
It is; I don't think it would accomplish much, as I'd consider the gitparse changes to be negligible compared to everything else. |
Thanks for the useful information @bplaxco!
It should be separated to keep the PR focused. I did some toying around with getting
|
I'm not sure what you mean by this. From this PR, or your own experimentation?
Any insight into this? |
From this PR |
I haven't encountered any issues, so I'm not sure what the cause could be. If you can provide more detailed info here, or in Slack/Discord, I can try to troubleshoot. |
How were you testing remote repos? |
Ah. Only GitHub and GitLab sources work right now. I have not made the necessary changes to Git because I don't know what a "repo" is vs. a "directory", or how it's called in Enterprise vs the OSS CLI. See #1918 (comment) |
c0c6955
to
8f9c202
Compare
@rgmz @bplaxco alright after banging my head against this git source I think it's better if we use "remote.origin.fetch=+refs/:refs/remotes/origin/". Introducing |
983d41e
to
f057784
Compare
I've rebased this onto #2988. This now only has changes related to reporting ref provenance. |
f057784
to
87956c7
Compare
005d5e1
to
805f5dc
Compare
805f5dc
to
9d902a0
Compare
8d64793
to
139ebe2
Compare
139ebe2
to
83eee14
Compare
'Hidden' refs, such as 'refs/pull/1004/head' may cause confusion if reported upon. GitHub, for example, will display a banner saying that the commit doesn't belong to the repository. This parse the output of 'git log --source' and converts it to a human-readable format, IF the ref is 'hidden'.
83eee14
to
74653a7
Compare
Description:
This fixes #1588.
In my experience, this find significantly more secrets with a negligible performance impact.
The only issue is that these secrets are technically not a part of the repository, so refactoring may be necessary to indicate that a result comes from a historical PR/MR branch.It now outputs the source pull/merge request (based ongit log --source
), in case the commit only exists in the PR history and not the actual repo history, which can happen when PRs are squashed.Checklist:
make test-community
)?make lint
this requires golangci-lint)?