feat(scanner): add --show to print git show per oops commit (#2)#10
Open
ChrisJr404 wants to merge 1 commit into
Open
feat(scanner): add --show to print git show per oops commit (#2)#10ChrisJr404 wants to merge 1 commit into
ChrisJr404 wants to merge 1 commit into
Conversation
…ecurity#2) Implements the request from trufflesecurity#2: let users review the content of each force-pushed "oops commit" directly, or pipe it to an external tool, without needing to enable the full trufflehog scan path. Behaviour: --show print `git show <commit>` for every force-pushed commit. Skips the trufflehog scan entirely unless --scan is also supplied. --show --scan print the diff AND run trufflehog. Useful when a reviewer wants both the raw patch and the secret findings side-by-side. --scan (alone) unchanged from current behaviour. (neither) unchanged — gather + report only. `scan_commits` now takes `show: bool` and `scan: bool` kwargs so the per-commit loop can switch behaviour without forking the whole repo clone path. The clone, base-commit identification, and SHA validation are all reused. `git show` runs with `--no-color` so the output stays grep-friendly when piped, and is wrapped in the existing `RunCmdError` handler so a single bad commit doesn't abort the rest of the run. Each diff is preceded by a `[git show <sha>]` header so multi-commit output is parseable. Verified: syntax check passes, argparse wiring for the new flag is correct, scan_commits signature picks up the new kwargs.
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #2 — @peter17 asked for an option that prints `git show ` per oops commit so they could review the content manually or pipe it to an external tool.
Adds a `--show` flag with three useful modes:
The patch threads two kwargs (`show`, `scan`) into the existing `scan_commits` so the per-commit loop can switch behaviour without forking the clone / base-commit-identification / SHA-validation path. Each diff is preceded by a `[git show ]` header so multi-commit output stays parseable when piped, and `--no-color` is set so the output is grep-friendly.
A bad single `git show` (e.g. orphaned ref) is wrapped in the existing `RunCmdError` handler so it doesn't abort the rest of the run.
Test plan
Note
Low Risk
Low risk: adds an optional CLI output mode and threads flags through
scan_commitswithout changing the existing scan behavior unless the new flag is used.Overview
Adds a new
--showmode that printsgit show --no-color <commit>output for each force-pushed commit, prefixed with a[git show <sha>]header for easier multi-commit parsing.Updates
scan_commitsto acceptshow/scantoggles so--showcan run alone (skipping trufflehog) or alongside--scan(print diff then scan), and adjustsmain()to invoke scanning when either flag is set while handlinggit showfailures per-commit without aborting the run.Reviewed by Cursor Bugbot for commit 15ebf0d. Bugbot is set up for automated code reviews on this repo. Configure here.