Skip to content

Support scanning a specific branch#167

Open
christophetd wants to merge 2 commits intomainfrom
christophe.tafanidereeper/branch-override-and-gopkg-fix
Open

Support scanning a specific branch#167
christophetd wants to merge 2 commits intomainfrom
christophe.tafanidereeper/branch-override-and-gopkg-fix

Conversation

@christophetd
Copy link
Collaborator

  • Fix gopkg strategy crash on unexpected git ls-remote output
  • Add --branch CLI option to override the analyzed branch

@christophetd christophetd requested a review from a team as a code owner February 13, 2026 16:28
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1967ccc0d8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +454 to +455
if branch:
source_code_manager.set_branch_override_target(package)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Honor --branch when GitHub SBOM strategy is enabled

When --branch is provided, this code only configures SourceCodeManager, but GitHubSbomMetadataCollectionStrategy is still enabled and its __get_github_generated_sbom call fetches SBOM by owner/repo without any branch/ref input. In repositories where the selected branch differs from default, the run can mix default-branch SBOM dependencies with branch-specific source scans, which breaks the new CLI contract to analyze the chosen branch; consider disabling SBOM strategy (or making it ref-aware) when --branch is set.

Useful? React with 👍 / 👎.

and self._branch_override_repo_key
and (owner, repo) == self._branch_override_repo_key
):
branch = self.branch_override

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Validate branch override before shelling out to git clone

This assignment accepts raw --branch input and later feeds it into git clone ... --branch={effective_branch} executed through run_command (os.system), so shell metacharacters in the branch value can execute arbitrary commands. The new CLI option introduces a direct user-controlled path into a shell command; validate the ref format and avoid shell-string execution for clone arguments.

Useful? React with 👍 / 👎.

@arapulido
Copy link
Contributor

Thanks @christophetd ! Pointing to a branch is already possible through the mirrors.json option, that also supports forks, for example: https://github.com/DataDog/dd-license-attribution?tab=readme-ov-file#manual-repository-override-configuration

If you missed it, probably we need to improve the documentation. What do you think?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants

Comments