Use default scan if diff base commit is missing

What does this MR do?

The 5.2.0 version of secret scanning fixed issues with missing commits. However, it caused a new issue when git history is rewritten on branch (non-MR) builds. Previously, the scanner was defaulting to sending a single commit to gitleaks. In 5.2.0, the incorrect git range is passed into gitleaks, causing the secret scanning job to fail. This change was rolled back in 5.2.1.

This MR reintroduces the changes in 5.2.0, plus an extra check [48ee0e90] to confirm that the base diff commit is present in the repository. If the commit is missing, we assume that the git history was rewritten and do a default scan instead.

This is meant to be a first step toward fixing invalid ranges due to rewritten history (gitlab-org/gitlab#434895). This will probably be replaced with git logic to detect the complete commit range for the branch in the case of rewritten git history.

What are the relevant issue numbers?

• gitlab-org/gitlab#434895
• gitlab-org/gitlab#442472 (closed)
• gitlab-org/gitlab#427641

Does this MR meet the acceptance criteria?

• Changelog entry added
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests updated/added for this feature/bug
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer