From 29ee9e39b0bac6f48d4844e1c670de548b4d8750 Mon Sep 17 00:00:00 2001
From: Paul Beslin <paul.beslin.ext@gitguardian.com>
Date: Thu, 21 Sep 2023 15:34:43 +0200
Subject: [PATCH] feat(iac): send the scanned repository's origin url as an
 extra header

---
 ggshield/cmd/iac/scan/diff.py      |  7 +++++++
 ggshield/utils/git_shell.py        |  6 ++++++
 tests/unit/utils/test_git_shell.py | 28 ++++++++++++++++++++++++++++
 3 files changed, 41 insertions(+)

diff --git a/ggshield/cmd/iac/scan/diff.py b/ggshield/cmd/iac/scan/diff.py
index 7aa4b75057..4b5d53e794 100644
--- a/ggshield/cmd/iac/scan/diff.py
+++ b/ggshield/cmd/iac/scan/diff.py
@@ -31,6 +31,7 @@
     Filemode,
     get_diff_files_status,
     get_filepaths_from_ref,
+    get_repository_url_from_path,
 )
 from ggshield.verticals.iac.collection.iac_diff_scan_collection import (
     IaCDiffScanCollection,
@@ -168,6 +169,11 @@ def iac_scan_diff(
         list(config.user_config.iac.ignored_policies),
         config.user_config.iac.minimum_severity,
     )
+    repository_url = get_repository_url_from_path(directory)
+
+    extra_headers = {}
+    if repository_url is not None:
+        extra_headers["repository-url"] = repository_url
 
     scan = client.iac_diff_scan(
         reference_tar,
@@ -176,6 +182,7 @@ def iac_scan_diff(
         ScanContext(
             command_path=ctx.command_path,
             scan_mode=ScanMode.DIFF,
+            extra_headers=extra_headers,
         ).get_http_headers(),
     )
 
diff --git a/ggshield/utils/git_shell.py b/ggshield/utils/git_shell.py
index 778e8ad11d..3788047efe 100644
--- a/ggshield/utils/git_shell.py
+++ b/ggshield/utils/git_shell.py
@@ -263,6 +263,12 @@ def get_last_commit_sha_of_branch(branch_name: str) -> Optional[str]:
     return last_target_commit[0]
 
 
+def get_repository_url_from_path(wd: Path) -> Optional[str]:
+    if not is_git_dir(wd):
+        return None
+    return git(["config", "--get", "remote.origin.url"], cwd=wd) or None
+
+
 def get_filepaths_from_ref(
     ref: str, wd: Optional[Union[str, Path]] = None
 ) -> List[Path]:
diff --git a/tests/unit/utils/test_git_shell.py b/tests/unit/utils/test_git_shell.py
index defc78d2ef..fbf0b98828 100644
--- a/tests/unit/utils/test_git_shell.py
+++ b/tests/unit/utils/test_git_shell.py
@@ -12,6 +12,7 @@
     check_git_dir,
     check_git_ref,
     get_filepaths_from_ref,
+    get_repository_url_from_path,
     get_staged_filepaths,
     git,
     is_git_dir,
@@ -80,6 +81,33 @@ def test_check_git_ref_valid_git_path(tmp_path):
         check_git_ref("invalid_ref", local_repo_path)
 
 
+def test_get_repository_url_from_path(tmp_path: Path):
+    # GIVEN a remote repository
+    remote_repo = Repository.create(tmp_path / "remote", bare=True)
+
+    # AND a local clone
+    local_repo_path = tmp_path / "local"
+    local_repo = Repository.clone(remote_repo.path, local_repo_path)
+    local_repo.create_commit()
+    local_repo.push()
+
+    # THEN the remote url is returned in the root clone directory
+    assert get_repository_url_from_path(local_repo_path) == str(remote_repo.path)
+    # AND in a subdirectory
+    subdirectory_path = local_repo_path / "subdirectory"
+    subdirectory_path.mkdir()
+    assert get_repository_url_from_path(subdirectory_path) == str(remote_repo.path)
+
+
+def test_get_repository_url_from_path_no_repo(tmp_path: Path):
+    # GIVEN a local directory with no remote git directory
+    local_directory_path = tmp_path / "local"
+    local_directory_path.mkdir()
+
+    # THEN no url is returned
+    assert get_repository_url_from_path(local_directory_path) is None
+
+
 def test_get_filepaths_from_ref(tmp_path):
     # GIVEN a repository
     repo = Repository.create(tmp_path)