Draft: Remove GetTreeEntries from SPP

Ahmed Hemdanrequested to merge
remove-get_tree_entries-from-spp into master

What does this MR do and why?

This drops the use of GetTreeEntries() RPC in Secret Push Protection which is used to correlate a secret finding to a commit SHA and a file path in favour of using the newly introduced attribute commit_id that is included now with all FindChangedPaths() RPC responses for each ChangedPath entry when the request is a CommitRequest (which is the case for SPP).

To achieve this, we build out a map with all payloads and their changed paths (including the associated commit SHA for each individual ChangedPath entry), and then while we build out the message that we display to the user, we pull the commit SHA and the file path directly from that map instead of calling GetTreeEntries() for each commit as was the case earlier.

This performance optimization would potentially reduce the time it takes to complete a Secret Push Protection scan as we:

  • Call ListAllCommits() RPC (once per scan)
  • Call FindChangedPaths() RPC (once per scan)
  • Call DiffBlobs() RPC (once per 50 changed paths)

The earlier workflow (before this change) was:

  • Call ListAllCommits() RPC (once per scan)
  • Call FindChangedPaths() RPC (once per scan)
  • Call DiffBlobs() RPC (once per 50 changed paths)
  • Call GetTreeEntries() RPC (once per commit, e.g. for +100 commits, we make +100 calls to GetTreeEntries)

Feature Flags

This change is implemented behind the drop_get_tree_entries_from_spp feature flag. It's a gitlab_com_derisk flag.

References

Resolves #477389.

Screenshots or screen recordings

Before After
Screenshot_2025-10-29_at_4.03.59_PM Screenshot_2025-10-29_at_4.07.18_PM

Yes, it's basically the same output. Nothing changed in the user experience.

How to set up and validate locally

MR acceptance checklist

I have evaluated this MR against the MR acceptance checklist.

Merge request reports