[271] Add flag to only scan files that exist on head

README.md

@@ -404,6 +404,7 @@ If you execute `talisman` on the command line, you will be able to view all the
   -c, --checksum string          checksum calculator calculates checksum and suggests .talismanrc format
   -d, --debug                    enable debug mode (warning: very verbose)
   -g, --githook string           either pre-push or pre-commit (default "pre-push")
+      --ignoreHistory            scanner scans all files on current head, will not scan through git commit history
   -i, --interactive              interactively update talismanrc (only makes sense with -g/--githook)
   -p, --pattern string           pattern (glob-like) of files to scan (ignores githooks)
   -r, --reportdirectory string   directory where the scan reports will be stored

acceptance_test.go

@@ -283,6 +283,46 @@ func TestPatternFindsSecretInNestedFile(t *testing.T) {
 	})
 }
 
+func TestIgnoreHistoryDoesNotDetectRemovedSecrets(t *testing.T) {
+	withNewTmpGitRepo(func(git *git_testing.GitTesting) {
+		_options := options{
+			debug:   false,
+			pattern: "./**/*.*",
+			scan: true,
+			ignoreHistory: true,
+		}
+
+		git.SetupBaselineFiles("simple-file")
+		git.CreateFileWithContents("some-dir/should-not-be-included.txt", awsAccessKeyIDExample)
+		git.AddAndcommit("*", "Initial Commit")
+		git.RemoveFile("some-dir/should-not-be-included.txt")
+		git.AddAndcommit("*", "Removed secret")
+		git.CreateFileWithContents("some-dir/should-be-included.txt", "safeContents")
+		git.AddAndcommit("*", "Start of Scan")
+
+		assert.Equal(t, 0, runTalismanWithOptions(git, _options), "Expected run() to return 0 since secret was removed from head")
+	})
+}
+
+func TestIgnoreHistoryDetectsExistingIssuesOnHead(t *testing.T) {
+	withNewTmpGitRepo(func(git *git_testing.GitTesting) {
+		_options := options{
+			debug:   false,
+			pattern: "./**/*.*",
+			scan: true,
+			ignoreHistory: true,
+		}
+
+		git.SetupBaselineFiles("simple-file")
+		git.CreateFileWithContents("some-dir/file-with-issue.txt", awsAccessKeyIDExample)
+		git.AddAndcommit("*", "Commit with Secret")
+		git.CreateFileWithContents("some-dir/should-be-included.txt", "safeContents")
+		git.AddAndcommit("*", "Another Commit")
+
+		assert.Equal(t, 1, runTalismanWithOptions(git, _options), "Expected run() to return 1 since secret exists on head")
+	})
+}
+
 func runTalisman(git *git_testing.GitTesting) int {
 	_options := options{
 		debug:   false,

runner.go

@@ -47,11 +47,11 @@ func (r *Runner) RunWithoutErrors(promptContext prompt.PromptContext) int {
 }
 
 //Scan scans git commit history for potential secrets and returns 0 or 1 as exit code
-func (r *Runner) Scan(reportDirectory string) int {
+func (r *Runner) Scan(reportDirectory string, ignoreHistory bool) int {
 
 	fmt.Printf("\n\n")
 	utility.CreateArt("Running Scan..")
-	additions := scanner.GetAdditions()
+	additions := scanner.GetAdditions(ignoreHistory)
 	ignores := &talismanrc.TalismanRC{}
 	detector.DefaultChain(ignores).Test(additions, ignores, r.results)
 	reportsPath, err := report.GenerateReport(r.results, reportDirectory)

scanner/scanner.go

@@ -13,8 +13,8 @@ type BlobsInCommits struct {
 }
 
 // GetAdditions will get all the additions for entire git history
-func GetAdditions() []gitrepo.Addition {
-	blobsInCommits := getBlobsInCommit()
+func GetAdditions(ignoreHistory bool) []gitrepo.Addition {
+	blobsInCommits := getBlobsInCommit(ignoreHistory)
 	var additions []gitrepo.Addition
 	for blob := range blobsInCommits.commits {
 		objectDetails := strings.Split(blob, "\t")
@@ -27,8 +27,8 @@ func GetAdditions() []gitrepo.Addition {
 	return additions
 }
 
-func getBlobsInCommit() BlobsInCommits {
-	commits := getAllCommits()
+func getBlobsInCommit(ignoreHistory bool) BlobsInCommits {
+	commits := getAllCommits(ignoreHistory)
 	blobsInCommits := newBlobsInCommit()
 	result := make(chan []string, len(commits))
 	for _, commit := range commits {
@@ -62,8 +62,12 @@ func getBlobsFromChannel(blobsInCommits BlobsInCommits, result chan []string) {
 	}
 }
 
-func getAllCommits() []string {
-	out, err := exec.Command("git", "log", "--all", "--pretty=%H").CombinedOutput()
+func getAllCommits(ignoreHistory bool) []string {
+	commitRange := "--all"
+	if ignoreHistory {
+		commitRange = "--max-count=1"
+	}
+	out, err := exec.Command("git", "log", commitRange, "--pretty=%H").CombinedOutput()
 	if err != nil {
 		log.Fatal(err)
 	}

talisman.go

@@ -26,6 +26,7 @@ var (
 	//Version : Version of talisman
 	Version         = "Development Build"
 	scan            bool
+	ignoreHistory   bool
 	checksum        string
 	reportdirectory string
 	scanWithHtml    bool
@@ -48,6 +49,7 @@ type options struct {
 	githook         string
 	pattern         string
 	scan            bool
+	ignoreHistory   bool
 	checksum        string
 	reportdirectory string
 	scanWithHtml    bool
@@ -60,6 +62,7 @@ func main() {
 	flag.StringVarP(&pattern, "pattern", "p", "", "pattern (glob-like) of files to scan (ignores githooks)")
 	flag.StringVarP(&githook, "githook", "g", PrePush, "either pre-push or pre-commit")
 	flag.BoolVarP(&scan, "scan", "s", false, "scanner scans the git commit history for potential secrets")
+	flag.BoolVar(&ignoreHistory, "ignoreHistory", false, "scanner scans all files on current head, will not scan through git commit history")
 	flag.StringVarP(&checksum, "checksum", "c", "", "checksum calculator calculates checksum and suggests .talismanrc format")
 	flag.StringVarP(&reportdirectory, "reportdirectory", "r", "", "directory where the scan reports will be stored")
 	flag.BoolVarP(&scanWithHtml, "scanWithHtml", "w", false, "generate html report (**Make sure you have installed talisman_html_report to use this, as mentioned in Readme**)")
@@ -89,6 +92,7 @@ func main() {
 		githook:         githook,
 		pattern:         pattern,
 		scan:            scan,
+		ignoreHistory:   ignoreHistory,
 		checksum:        checksum,
 		reportdirectory: reportdirectory,
 		scanWithHtml:    scanWithHtml,
@@ -122,10 +126,10 @@ func run(stdin io.Reader, _options options, promptContext prompt.PromptContext)
 		return NewRunner(make([]gitrepo.Addition, 0)).RunChecksumCalculator(strings.Fields(_options.checksum))
 	} else if _options.scan {
 		log.Infof("Running scanner")
-		return NewRunner(make([]gitrepo.Addition, 0)).Scan(_options.reportdirectory)
+		return NewRunner(make([]gitrepo.Addition, 0)).Scan(_options.reportdirectory, _options.ignoreHistory)
 	} else if _options.scanWithHtml {
 		log.Infof("Running scanner with html report")
-		return NewRunner(make([]gitrepo.Addition, 0)).Scan("talisman_html_report")
+		return NewRunner(make([]gitrepo.Addition, 0)).Scan("talisman_html_report", _options.ignoreHistory)
 	} else if _options.pattern != "" {
 		log.Infof("Running %s pattern", _options.pattern)
 		directoryHook := NewDirectoryHook()