Add StrategySHARangeLogOpts
What does this MR do?
Adds validation for SHA ranges in SECRET_DETECTION_LOG_OPTIONS to prevent silent 0-commit scans and fail jobs with invalid ranges.
Related issues
- Closes Add validation logic to catch unexpected commit... (gitlab-org/gitlab#576886) - Add validation logic to catch unexpected commit ranges for pipeline secret detection
- Closes Scan execution policy-based Secret Detection sc... (gitlab-org/gitlab#570137 - closed) - Fix scan execution policy-based Secret Detection scanning 0 commits when no new changes exist
Implementation
Problem: GitLab's CreatePipelineService can set SECRET_DETECTION_LOG_OPTIONS=SHA..SHA when no new commits exist, causing gitleaks to silently scan 0 commits.
Solution: New FetchRangeLogOpts strategy validates SHA ranges before scanning:
| Scenario | Behavior | Result |
|---|---|---|
Empty range (SHA..SHA) |
Pass job, scan 0 commits |
|
Reversed (NEWER..OLDER) |
Ancestry check fails |
|
| Invalid SHA | SHA doesn't exist |
|
Valid range (BASE..HEAD) |
Ancestry validated |
|
Validation method: Uses git merge-base --is-ancestor BASE HEAD to verify BASE is an ancestor of HEAD (exit 0 = valid, exit 1 = reversed/diverged).
Changes
- Added
FetchRangeLogOptsstrategy with ancestry validation - Fail jobs on invalid/reversed SHA ranges with descriptive errors
- Pass jobs on empty ranges (SHA..SHA) with 0 commits scanned
- Unit tests for all validation scenarios
- Integration tests for empty, reversed, and invalid ranges
Breaking changes
None. Existing pipelines unchanged. Only adds validation for SHA ranges in log options.
Edited by Aditya Tiwari