Skip to content

AST-120196-Enable/disable commit history scanning #1357

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cx-rui-oliveira wants to merge 23 commits into
base: main
Choose a base branch
from
Open

AST-120196-Enable/disable commit history scanning #1357

cx-rui-oliveira wants to merge 23 commits into from

Conversation

@cx-rui-oliveira
Copy link
Collaborator

@cx-rui-oliveira cx-rui-oliveira commented Nov 19, 2025
edited by atlassian bot
Loading

Description

This PR adds support for enabling/disabling Git commit history scanning in Secret Detection scans through a new CLI flag --git-commit-history. This enhancement allows users to explicitly enable scanning of the full Git commit history to detect secrets that may have been committed in the past, even if they've been removed from the current working tree.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

Related Issues

Ticket: AST-120196

Checklist

  • I have performed a self-review of my code
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)
  • Any dependent changes have been merged and published in downstream modules
  • I have updated the CLI help for new/changed functionality in this PR (if applicable)
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used

Screenshots (if applicable)

  • N/A.

Additional Notes

  • N/A.

@cx-rui-oliveira cx-rui-oliveira force-pushed the AST-120196-cli-enable-disable-commit-history-scanning branch from 30b19de to 00789f3 Compare November 19, 2025 15:34
@github-actions
Copy link

github-actions bot commented Nov 19, 2025
edited
Loading

Logo
Checkmarx One – Scan Summary & Details764923a8-a2f8-4086-8663-bed9c98af2d2

Great job! No new security vulnerabilities introduced in this pull request

cx-diogo-rocha
cx-diogo-rocha previously approved these changes Nov 19, 2025
View reviewed changes
@cx-rui-oliveira cx-rui-oliveira force-pushed the AST-120196-cli-enable-disable-commit-history-scanning branch from 921ad85 to 801179e Compare November 24, 2025 16:18
cx-diogo-rocha
cx-diogo-rocha previously approved these changes Nov 24, 2025
View reviewed changes
@cx-rui-oliveira cx-rui-oliveira force-pushed the AST-120196-cli-enable-disable-commit-history-scanning branch from 2d3c5b4 to 6b53fee Compare November 25, 2025 17:09
cx-umesh-waghode
cx-umesh-waghode requested changes Dec 9, 2025
View reviewed changes
Copy link
Contributor

@cx-umesh-waghode cx-umesh-waghode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cx-rui-oliveira Could you comment on below?

  1. What is the behavior when SCS --scan-type is provided without --scs-engines?
  2. Same as above but when --scs-engines is provided with scorecard only.
  3. what is the behavior when SCS new license is disabled

@cx-rui-oliveira
Copy link
Collaborator Author

cx-rui-oliveira commented Dec 9, 2025

@cx-rui-oliveira Could you comment on below?

  1. What is the behavior when SCS --scan-type is provided without --scs-engines?
  2. Same as above but when --scs-engines is provided with scorecard only.
  3. what is the behavior when SCS new license is disabled
  1. We consider that both scs engines are enabled (2ms and scorecard), so if the user also specifies --git-commit-history true it will be enough to execute commit history scanning.
  2. Only scorecard is enabled, so git-commit-history is ignored (the following warning is triggered: Secret Detection scan warning: Commit History applies only to Secret Detection. The flag will be ignored.
  3. If the FF SSCS_NEW_LICENSING_ENABLED is enabled and the new license is disabled, git-commit-history will be ignored, since 2ms is not enabled. If the FF SSCS_NEW_LICENSING_ENABLED is disabled and the new license is disabled, the old license is considered (and git commit history is enabled or disabled accordingly with it).

@cx-umesh-waghode cx-umesh-waghode self-requested a review December 10, 2025 11:48
@cx-anurag-dalke cx-anurag-dalke enabled auto-merge (squash) December 11, 2025 10:44
cx-anurag-dalke
cx-anurag-dalke approved these changes Dec 23, 2025
View reviewed changes
Copy link
Collaborator

@cx-anurag-dalke cx-anurag-dalke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cx-anurag-dalke cx-anurag-dalke cx-anurag-dalke approved these changes

@cx-umesh-waghode cx-umesh-waghode cx-umesh-waghode left review comments

@cx-diogo-rocha cx-diogo-rocha cx-diogo-rocha left review comments

@cx-anjali-deore cx-anjali-deore Awaiting requested review from cx-anjali-deore cx-anjali-deore is a code owner

@cx-plugins-releases cx-plugins-releases Awaiting requested review from cx-plugins-releases

@cx-margarita-levitm cx-margarita-levitm Awaiting requested review from cx-margarita-levitm

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@cx-rui-oliveira @cx-umesh-waghode @cx-diogo-rocha @cx-anurag-dalke @cx-margarita-levitm