fix(git): detect secrets in renamed/copied files

PascalThuet · PascalThuet · commit 9499324b24d1 · 2026-01-24T00:17:13.000+01:00
When a file is renamed using `git mv` or when git detects a 100% copy, the `git log --patch` output shows only: ``` similarity index 100% rename from fileA.txt rename to fileB.txt ``` Without any actual content diff, causing the scanner to miss secrets in the renamed file. This fix adds `--no-renames` to the git log and git diff commands, which disables git's rename detection. This causes git to treat renames as a delete + add operation, ensuring the full file content is shown for newly created files. Fixes #4672 ## Changes - Add `--no-renames` flag to `RepoPath()` in gitparse.go - Add `--no-renames` flag to `Staged()` in gitparse.go - Add regression test `TestRenamedFileContainsSecret` ## Testing Created a test repository with: 1. Initial file with AWS credentials 2. Renamed file using `git mv` Before fix: Secret only reported in original file (now deleted) After fix: Secret correctly reported in renamed file
diff --git a/pkg/gitparse/gitparse.go b/pkg/gitparse/gitparse.go
@@ -234,11 +234,12 @@ func (c *Parser) RepoPath(
 	args := []string{
 		"-C", source,
 		"log",
-		"--patch", // https://git-scm.com/docs/git-log#Documentation/git-log.txt---patch
+		"--patch",        // https://git-scm.com/docs/git-log#Documentation/git-log.txt---patch
 		"--full-history",
 		"--date=iso-strict",
 		"--pretty=fuller", // https://git-scm.com/docs/git-log#_pretty_formats
 		"--notes",         // https://git-scm.com/docs/git-log#Documentation/git-log.txt---notesltrefgt
+		"--no-renames",    // Disable rename detection to ensure renamed/copied files show full content
 	}
 	if abbreviatedLog {
 		args = append(args, "--diff-filter=AM")
@@ -279,7 +280,8 @@ func (c *Parser) RepoPath(
 // Staged parses the output of the `git diff` command for the `source` path.
 func (c *Parser) Staged(ctx context.Context, source string) (chan *Diff, error) {
 	// Provide the --cached flag to diff to get the diff of the staged changes.
-	args := []string{"-C", source, "diff", "-p", "--cached", "--full-history", "--diff-filter=AM", "--date=iso-strict"}
+	// --no-renames ensures renamed/copied files show full content instead of similarity index.
+	args := []string{"-C", source, "diff", "-p", "--cached", "--full-history", "--diff-filter=AM", "--no-renames", "--date=iso-strict"}
 
 	cmd := exec.Command("git", args...)
 
diff --git a/pkg/sources/git/git_test.go b/pkg/sources/git/git_test.go
@@ -1163,3 +1163,56 @@ func TestPrepareRepoWithNormalizationBare(t *testing.T) {
 		})
 	}
 }
+
+// TestRenamedFileContainsSecret ensures that when a file is renamed (git mv),
+// the scanner still detects secrets in the renamed file.
+// This is a regression test for: https://github.com/trufflesecurity/trufflehog/issues/4672
+func TestRenamedFileContainsSecret(t *testing.T) {
+	t.Parallel()
+
+	// Create a test repo with a secret
+	repoPath := setupTestRepo(t, "rename-test-repo")
+
+	// Create initial file with a secret
+	secret := "AKIA1234567890ABCDEF"
+	initialContent := fmt.Sprintf("aws_access_key_id = %s\naws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", secret)
+	addTestFileAndCommit(t, repoPath, "credentials.txt", initialContent)
+
+	// Rename the file using git mv
+	assert.NoError(t, exec.Command("git", "-C", repoPath, "mv", "credentials.txt", "credentials_backup.txt").Run())
+	assert.NoError(t, exec.Command("git", "-C", repoPath, "commit", "-m", "Rename credentials file").Run())
+
+	// Scan the repo
+	ctx := context.Background()
+	s := Source{}
+	conn, err := anypb.New(&sourcespb.Git{
+		Directories: []string{repoPath},
+		Credential:  &sourcespb.Git_Unauthenticated{Unauthenticated: &credentialspb.Unauthenticated{}},
+	})
+	assert.NoError(t, err)
+
+	err = s.Init(ctx, "test", 0, 0, false, conn, 1)
+	assert.NoError(t, err)
+
+	chunksChan := make(chan *sources.Chunk, 100)
+	go func() {
+		defer close(chunksChan)
+		err := s.Chunks(ctx, chunksChan)
+		assert.NoError(t, err)
+	}()
+
+	// Collect all chunks and verify we find the secret in the renamed file
+	foundInRenamedFile := false
+	for chunk := range chunksChan {
+		if chunk.SourceMetadata != nil {
+			metadata := chunk.SourceMetadata.GetGit()
+			if metadata != nil && strings.Contains(metadata.File, "credentials_backup.txt") {
+				if bytes.Contains(chunk.Data, []byte(secret)) {
+					foundInRenamedFile = true
+				}
+			}
+		}
+	}
+
+	assert.True(t, foundInRenamedFile, "Secret should be detected in the renamed file (credentials_backup.txt)")
+}
