Is your feature request related to a problem? Please describe.
At present Git Proxy diff used in reviews and scanned with configured regexes is only produced for the overall push. There is no way for a reviewer to see the diff of individual commits, nor for the scans to apply to the diffs of individual commits. This potentially allows information that should not be allowed to egress to exist in the git history, if not the final diff the chain of commits.
It should absolutely NOT be possible to sneak secrets or a firm's confidential infrastructure details (for example) out through git proxy by concealing those details from reviews and scans in the middle of a list of commits - where that may be possible at present.
Describe the solution you'd like
- Git proxy should extract diffs for each commit in a push, in addition to the overall diff.
- Scans must be applied to each individual commit
- Individual commit diffs should be exposed to reviews through the UI to facilitate manual review.
Describe alternatives you've considered
The only alternative I can think of is to require pushes to be squashed down to a single commit in all cases...
Additional context
I'm not sure if the gitleaks scanner scans each commit in the diff, but that should be investigated and added to the scope if not.
Is your feature request related to a problem? Please describe.
At present Git Proxy diff used in reviews and scanned with configured regexes is only produced for the overall push. There is no way for a reviewer to see the diff of individual commits, nor for the scans to apply to the diffs of individual commits. This potentially allows information that should not be allowed to egress to exist in the git history, if not the final diff the chain of commits.
It should absolutely NOT be possible to sneak secrets or a firm's confidential infrastructure details (for example) out through git proxy by concealing those details from reviews and scans in the middle of a list of commits - where that may be possible at present.
Describe the solution you'd like
Describe alternatives you've considered
The only alternative I can think of is to require pushes to be squashed down to a single commit in all cases...
Additional context
I'm not sure if the gitleaks scanner scans each commit in the diff, but that should be investigated and added to the scope if not.