Skip to content

fix(git): detect secrets in renamed/copied files#4694

Open
PascalThuet wants to merge 3 commits intotrufflesecurity:mainfrom
PascalThuet:fix/scan-renamed-copied-files
Open

fix(git): detect secrets in renamed/copied files#4694
PascalThuet wants to merge 3 commits intotrufflesecurity:mainfrom
PascalThuet:fix/scan-renamed-copied-files

Conversation

@PascalThuet
Copy link
Contributor

@PascalThuet PascalThuet commented Jan 24, 2026
edited
Loading

Summary

Fixes #4672

When a file is renamed using git mv or when git detects a file copy with 100% similarity, the git log --patch output shows only metadata without actual file content:

similarity index 100%
rename from fileA.ipynb
rename to fileA_DE.ipynb

This causes the scanner to miss secrets in renamed/copied files because no content diff is generated.

Solution

Add --no-renames flag to git commands in gitparse.go. This disables git's rename detection, causing git to treat renames as delete + add operations, ensuring full file content is always shown in the diff output.

Changes

  • Add --no-renames to RepoPath() git log command
  • Add --no-renames to Staged() git diff command
  • Add regression test TestRenamedFileContainsSecret

Performance Impact

  • No impact when there are no renames (identical output)
  • Minimal impact when renames exist (file content shown instead of similarity metadata)
  • In real-world repos, renames are relatively rare

Test Plan

  • Added regression test that creates a repo with a renamed file containing a secret
  • Verified the secret is detected in the renamed file after the fix
  • Run full test suite
  • Lint passing

@PascalThuet PascalThuet requested a review from a team January 24, 2026 19:05
@PascalThuet PascalThuet requested review from a team as code owners January 24, 2026 19:05
@CLAassistant
Copy link

CLAassistant commented Jan 24, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@PascalThuet PascalThuet mentioned this pull request Jan 24, 2026
Open
@PascalThuet
fix(git): detect secrets in renamed/copied files
3124e79 
When a file is renamed using `git mv` or when git detects a 100% copy,
the `git log --patch` output shows only:

```
similarity index 100%
rename from fileA.txt
rename to fileB.txt
```

Without any actual content diff, causing the scanner to miss secrets
in the renamed file.

This fix adds `--no-renames` to the git log and git diff commands,
which disables git's rename detection. This causes git to treat
renames as a delete + add operation, ensuring the full file content
is shown for newly created files.

Fixes trufflesecurity#4672

## Changes

- Add `--no-renames` flag to `RepoPath()` in gitparse.go
- Add `--no-renames` flag to `Staged()` in gitparse.go
- Add regression test `TestRenamedFileContainsSecret`

## Testing

Created a test repository with:
1. Initial file with AWS credentials
2. Renamed file using `git mv`

Before fix: Secret only reported in original file (now deleted)
After fix: Secret correctly reported in renamed file
@PascalThuet PascalThuet force-pushed the fix/scan-renamed-copied-files branch from 9499324 to 3124e79 Compare January 25, 2026 10:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@camgunz camgunz camgunz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

GitHub scanner misses secrets in files created by copying content from previously scanned files

3 participants

@PascalThuet @CLAassistant @camgunz