Pipeline Secret Detection: Analyzer scans only HEAD commit in the MR Pipeline scan

Bug

As mentioned in the title, Pipeline Secret Detection analyzer is scanning only HEAD commit in the source branch during MR Pipeline. This behavior seems to be similar to a bug in Branch Pipeline.

Expected Behaviour

The analyzer should scan all commits in the branch during MR Pipeline scan as outlined here.

Reproducible Steps

1. Checkout a new branch from a default branch.
2. Add a commit with secret in it and push the commit to the new branch
3. Create an MR from the new branch against the default branch. It triggers an MR pipeline, and followed by secret detection job.
4. The job detects a detects the added secret as expected.
5. Now add a new commit with dummy changes and push those changes.
6. A new MR pipeline will be triggered. This time, the SD job would detect NO secrets in the branch. This is because the analyzer is scanning only the HEAD commit of the branch in the MR pipeline.

Sample Project

• Project: https://gitlab.com/vbhat161/sd-test/-/tree
• Branch name: merge-request
• Commit history:
  • Another Dummy Content: 695fcb0ec5e1ae907f4c5a20ff4dadc896cee549 << HEAD commit. Analyzer did not detect the secret added in the previous commit (job)
  • Add secret: 8c2437321b3cf049b2994e77e1f3fc33df63fae0 << A new secret added in this commit. Analyzer detected it when this commit was the HEAD commit (job).
  • Dummy Text: 59ce872d7d8c98fa64cb9d9fd784cf8ca417f8e8
  • Commit before MR creation: f6d7c8d8576a71ac7a79a4ca38389b9a4ef0b558

The Log options passed to Gitleaks scanner is: --first-parent 8c2437321b3cf049b2994e77e1f3fc33df63fae0..695fcb0ec5e1ae907f4c5a20ff4dadc896cee549 which clearly indicates we're passing only the HEAD commit range to the scanner.

Implications

This bug (once verified) could be a critical issue as the analyzer would let MR pipelines and Scan Execution Policies pass even when there are secrets in the branch.