feat: run incremental scans

.2ms.yml

@@ -132,7 +132,11 @@ ignore-result:
 - 44eca14299c23849c83a7a84fdaa35b8a6a0de34 # value used for testing
 - 374eb22f69352d768e8096f9d55299c4dfd8888c # value used for testing
 - bd69025b337716ee008f80192523d3cb1c11ed09 # value used for testing
-
-
-
-
+- abee8cb648ac1d20c88db6ec5a4ae079c7d29ea8 # value used for testing
+- b8e323e82ffb1a6cd55f6f21c05ac963c2586c8f # value used for testing
+- 53fea9d5c1718a37457bc484d5a0c8336ef7ab75 # value used for testing
+- 4666bc0670fcfa15e706f53abdc59eff2674854f # value used for testing
+- f701cd699fcb706453af869581c74a7133a5a317 # value used for testing
+- b3f999807edd036ffd73f14a2ca43c543bcf366d # value used for testing
+- 7585409b82ac064a256b70d9e526a011ebfb0411 # value used for testing
+- f4d8d834faf54a9551b2a1d937a436bea498506e # value used for testing

README.md

@@ -336,6 +336,7 @@ Scans a local git repository
 | ---------------- | ----- | -------------------------------------- | -------------------------------------------------------- |
 | `--all-branches` | -     | false - only current checked in branch | scan all branches                                        |
 | `--depth`        | int   | no limit                               | limit the number of historical commits to scan from HEAD |
+| `--base-commit`  | string| -                                      | base commit to scan commits between base and HEAD        |
 
 For example
 

plugins/git.go

@@ -24,6 +24,7 @@ const (
 	argDepth           = "depth"
 	argScanAllBranches = "all-branches"
 	argProjectName     = "project-name"
+	argBaseCommit      = "base-commit"
 	unknownCommit      = "unknown"
 )
 
@@ -33,6 +34,7 @@ type GitPlugin struct {
 	depth           int
 	scanAllBranches bool
 	projectName     string
+	baseCommit      string
 }
 
 type GitInfo struct {
@@ -67,6 +69,7 @@ func (p *GitPlugin) DefineCommand(items chan ISourceItem, errors chan error) (*c
 	flags.BoolVar(&p.scanAllBranches, argScanAllBranches, false, "scan all branches [default: false]")
 	flags.IntVar(&p.depth, argDepth, 0, "number of commits to scan from HEAD")
 	flags.StringVar(&p.projectName, argProjectName, "", "Project name to differentiate between filesystem scans")
+	flags.StringVar(&p.baseCommit, argBaseCommit, "", "Base commit to scan commits between base and HEAD")
 	return command, nil
 }
 
@@ -75,9 +78,14 @@ func (p *GitPlugin) buildScanOptions() string {
 	if p.scanAllBranches {
 		options = append(options, "--all")
 	}
-	if p.depth > 0 {
+
+	// If base commit is specified, use commit range instead of depth
+	if p.baseCommit != "" {
+		options = append(options, fmt.Sprintf("%s..HEAD", p.baseCommit))
+	} else if p.depth > 0 {
 		options = append(options, fmt.Sprintf("-n %d", p.depth))
 	}
+
 	return strings.Join(options, " ")
 }
 

plugins/git_test.go

@@ -3,58 +3,94 @@ package plugins
 import (
 	"errors"
 	"fmt"
-	"github.com/gitleaks/go-gitdiff/gitdiff"
-	"github.com/spf13/cobra"
-	"github.com/stretchr/testify/assert"
 	"os"
 	"path/filepath"
 	"testing"
+
+	"github.com/gitleaks/go-gitdiff/gitdiff"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestBuildScanOptions(t *testing.T) {
 	tests := []struct {
 		name            string
 		scanAllBranches bool
 		depth           int
+		baseCommit      string
 		expectedOptions string
 	}{
 		{
 			name:            "Default: scan every commit from checked in branch",
 			scanAllBranches: false,
 			depth:           0,
+			baseCommit:      "",
 			expectedOptions: "--full-history",
 		},
 		{
 			name:            "Scan all commits from all branches",
 			scanAllBranches: true,
 			depth:           0,
+			baseCommit:      "",
 			expectedOptions: "--full-history --all",
 		},
 		{
 			name:            "scan the last 10 commits from checked in branch",
 			scanAllBranches: false,
 			depth:           10,
+			baseCommit:      "",
 			expectedOptions: "--full-history -n 10",
 		},
 		{
 			name:            "Scan the last 10 commits of all branches",
 			scanAllBranches: true,
 			depth:           10,
+			baseCommit:      "",
 			expectedOptions: "--full-history --all -n 10",
 		},
 		{
 			name:            "Negative depth: should not include depth option",
 			scanAllBranches: true,
 			depth:           -5,
+			baseCommit:      "",
 			expectedOptions: "--full-history --all",
 		},
+		{
+			name:            "Base commit: scan commits between base and HEAD",
+			scanAllBranches: false,
+			depth:           0,
+			baseCommit:      "abc123",
+			expectedOptions: "--full-history abc123..HEAD",
+		},
+		{
+			name:            "Base commit with all branches",
+			scanAllBranches: true,
+			depth:           0,
+			baseCommit:      "def456",
+			expectedOptions: "--full-history --all def456..HEAD",
+		},
+		{
+			name:            "Base commit takes precedence over depth",
+			scanAllBranches: false,
+			depth:           10,
+			baseCommit:      "ghi789",
+			expectedOptions: "--full-history ghi789..HEAD",
+		},
+		{
+			name:            "Base commit with all branches takes precedence over depth",
+			scanAllBranches: true,
+			depth:           15,
+			baseCommit:      "jkl012",
+			expectedOptions: "--full-history --all jkl012..HEAD",
+		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			p := &GitPlugin{
 				scanAllBranches: tt.scanAllBranches,
 				depth:           tt.depth,
+				baseCommit:      tt.baseCommit,
 			}
 			result := p.buildScanOptions()
 			assert.Equal(t, tt.expectedOptions, result)