Skip to content

Scan only PR commits for Gitleaks instead of whole codebase #2487

New issue
New issue
Closed
#2504
Closed
Scan only PR commits for Gitleaks instead of whole codebase#2487
#2504
Labels
enhancementNew feature or request
@DariuszPorowski

Description

@DariuszPorowski
DariuszPorowski
opened on Mar 27, 2023

Is your feature request related to a problem? Please describe.

Scan only PR commits for Gitleaks instead of whole codebase, when VALIDATE_ALL_CODEBASE is set to false

Describe the solution you'd like

When VALIDATE_ALL_CODEBASE is set to false, and megalinter runs on PR then Gitleaks scans only PR commits.

Describe alternatives you've considered

Described scenarios is achievable by passing REPOSITORY_GITLEAKS_ARGUMENTS env contains gitleaks flag --log-opts, but nice to have out-of-the-box support (using VALIDATE_ALL_CODEBASE) without extra configuration.

- name: MegaLinter
  if: ${{ github.event_name == 'pull_request' }}
  id: megalinter
  uses: oxsecurity/megalinter/flavors/documentation@v6
  env:
    VALIDATE_ALL_CODEBASE: false
    REPOSITORY_GITLEAKS_ARGUMENTS: --log-opts '--no-merges --first-parent ${{ github.event.pull_request.base.sha }}^..${{ github.event.pull_request.head.sha }}'

Downside - to scan only PR commits with proposed gitleaks config, git checkout has to be set with fetch-depth: 0

- name: Checkout
  uses: actions/checkout@v3
  with:
    fetch-depth: 0

Additional context

N/A

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions