fix(git): detect secrets in renamed/copied files

When a file is renamed using `git mv` or when git detects a 100% copy,
the `git log --patch` output shows only:

```
similarity index 100%
rename from fileA.txt
rename to fileB.txt
```

Without any actual content diff, causing the scanner to miss secrets
in the renamed file.

This fix adds `--no-renames` to the git log and git diff commands,
which disables git's rename detection. This causes git to treat
renames as a delete + add operation, ensuring the full file content
is shown for newly created files.

Fixes #4672

## Changes

- Add `--no-renames` flag to `RepoPath()` in gitparse.go
- Add `--no-renames` flag to `Staged()` in gitparse.go
- Add regression test `TestRenamedFileContainsSecret`

## Testing

Created a test repository with:
1. Initial file with AWS credentials
2. Renamed file using `git mv`

Before fix: Secret only reported in original file (now deleted)
After fix: Secret correctly reported in renamed file

Author: PascalThuet

pkg/gitparse/gitparse.go

@@ -239,6 +239,7 @@ func (c *Parser) RepoPath(
 		"--date=iso-strict",
 		"--pretty=fuller", // https://git-scm.com/docs/git-log#_pretty_formats
 		"--notes",         // https://git-scm.com/docs/git-log#Documentation/git-log.txt---notesltrefgt
+		"--no-renames",    // Disable rename detection to ensure renamed/copied files show full content
 	}
 	if abbreviatedLog {
 		args = append(args, "--diff-filter=AM")
@@ -279,7 +280,8 @@ func (c *Parser) RepoPath(
 // Staged parses the output of the `git diff` command for the `source` path.
 func (c *Parser) Staged(ctx context.Context, source string) (chan *Diff, error) {
 	// Provide the --cached flag to diff to get the diff of the staged changes.
-	args := []string{"-C", source, "diff", "-p", "--cached", "--full-history", "--diff-filter=AM", "--date=iso-strict"}
+	// --no-renames ensures renamed/copied files show full content instead of similarity index.
+	args := []string{"-C", source, "diff", "-p", "--cached", "--full-history", "--diff-filter=AM", "--no-renames", "--date=iso-strict"}
 
 	cmd := exec.Command("git", args...)
 

pkg/sources/git/git_test.go

@@ -1163,3 +1163,56 @@ func TestPrepareRepoWithNormalizationBare(t *testing.T) {
 		})
 	}
 }
+
+// TestRenamedFileContainsSecret ensures that when a file is renamed (git mv),
+// the scanner still detects secrets in the renamed file.
+// This is a regression test for: https://github.com/trufflesecurity/trufflehog/issues/4672
+func TestRenamedFileContainsSecret(t *testing.T) {
+	t.Parallel()
+
+	// Create a test repo with a secret
+	repoPath := setupTestRepo(t, "rename-test-repo")
+
+	// Create initial file with a secret
+	secret := "AKIA1234567890ABCDEF"
+	initialContent := fmt.Sprintf("aws_access_key_id = %s\naws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", secret)
+	addTestFileAndCommit(t, repoPath, "credentials.txt", initialContent)
+
+	// Rename the file using git mv
+	assert.NoError(t, exec.Command("git", "-C", repoPath, "mv", "credentials.txt", "credentials_backup.txt").Run())
+	assert.NoError(t, exec.Command("git", "-C", repoPath, "commit", "-m", "Rename credentials file").Run())
+
+	// Scan the repo
+	ctx := context.Background()
+	s := Source{}
+	conn, err := anypb.New(&sourcespb.Git{
+		Directories: []string{repoPath},
+		Credential:  &sourcespb.Git_Unauthenticated{Unauthenticated: &credentialspb.Unauthenticated{}},
+	})
+	assert.NoError(t, err)
+
+	err = s.Init(ctx, "test", 0, 0, false, conn, 1)
+	assert.NoError(t, err)
+
+	chunksChan := make(chan *sources.Chunk, 100)
+	go func() {
+		defer close(chunksChan)
+		err := s.Chunks(ctx, chunksChan)
+		assert.NoError(t, err)
+	}()
+
+	// Collect all chunks and verify we find the secret in the renamed file
+	foundInRenamedFile := false
+	for chunk := range chunksChan {
+		if chunk.SourceMetadata != nil {
+			metadata := chunk.SourceMetadata.GetGit()
+			if metadata != nil && strings.Contains(metadata.File, "credentials_backup.txt") {
+				if bytes.Contains(chunk.Data, []byte(secret)) {
+					foundInRenamedFile = true
+				}
+			}
+		}
+	}
+
+	assert.True(t, foundInRenamedFile, "Secret should be detected in the renamed file (credentials_backup.txt)")
+}