Skip to content

fix(git): detect secrets in renamed/copied files #4694

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
PascalThuet wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix(git): detect secrets in renamed/copied files #4694

PascalThuet wants to merge 3 commits into from

Conversation

@PascalThuet
Copy link
Contributor

@PascalThuet PascalThuet commented Jan 24, 2026
edited
Loading

Summary

Fixes #4672

When a file is renamed using git mv or when git detects a file copy with 100% similarity, the git log --patch output shows only metadata without actual file content:

similarity index 100%
rename from fileA.ipynb
rename to fileA_DE.ipynb

This causes the scanner to miss secrets in renamed/copied files because no content diff is generated.

Solution

Add --no-renames flag to git commands in gitparse.go. This disables git's rename detection, causing git to treat renames as delete + add operations, ensuring full file content is always shown in the diff output.

Changes

  • Add --no-renames to RepoPath() git log command
  • Add --no-renames to Staged() git diff command
  • Add regression test TestRenamedFileContainsSecret

Performance Impact

  • No impact when there are no renames (identical output)
  • Minimal impact when renames exist (file content shown instead of similarity metadata)
  • In real-world repos, renames are relatively rare

Test Plan

  • Added regression test that creates a repo with a renamed file containing a secret
  • Verified the secret is detected in the renamed file after the fix
  • Run full test suite
  • Lint passing

@PascalThuet PascalThuet requested a review from a team January 24, 2026 19:05
@PascalThuet PascalThuet requested review from a team as code owners January 24, 2026 19:05
@CLAassistant
Copy link

CLAassistant commented Jan 24, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@PascalThuet PascalThuet mentioned this pull request Jan 24, 2026
Open
@PascalThuet
fix(git): detect secrets in renamed/copied files
3124e79 
When a file is renamed using `git mv` or when git detects a 100% copy,
the `git log --patch` output shows only:

```
similarity index 100%
rename from fileA.txt
rename to fileB.txt
```

Without any actual content diff, causing the scanner to miss secrets
in the renamed file.

This fix adds `--no-renames` to the git log and git diff commands,
which disables git's rename detection. This causes git to treat
renames as a delete + add operation, ensuring the full file content
is shown for newly created files.

Fixes trufflesecurity#4672

## Changes

- Add `--no-renames` flag to `RepoPath()` in gitparse.go
- Add `--no-renames` flag to `Staged()` in gitparse.go
- Add regression test `TestRenamedFileContainsSecret`

## Testing

Created a test repository with:
1. Initial file with AWS credentials
2. Renamed file using `git mv`

Before fix: Secret only reported in original file (now deleted)
After fix: Secret correctly reported in renamed file
@PascalThuet PascalThuet force-pushed the fix/scan-renamed-copied-files branch from 9499324 to 3124e79 Compare January 25, 2026 10:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

GitHub scanner misses secrets in files created by copying content from previously scanned files

2 participants

@PascalThuet @CLAassistant