fix: robust changed file detection for PRs/MRs in GitHub, GitLab, and Bitbucket

- Use git diff with appropriate refs and environment variables to detect changed files in pull/merge requests across GitHub Actions, GitLab CI, and Bitbucket Pipelines.
- Fallback to git show for single commit detection.
- Ensures manifest and other file changes are correctly picked up in all major

Author: dacoburn

pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.1.28"
+version = "2.1.29"
 requires-python = ">= 3.10"
 license = {"file" = "LICENSE"}
 dependencies = [

socketsecurity/__init__.py

@@ -1,2 +1,2 @@
 __author__ = 'socket.dev'
-__version__ = '2.1.28'
+__version__ = '2.1.29'

socketsecurity/core/git_interface.py

@@ -128,7 +128,56 @@ def __init__(self, path: str):
         self.commit_sha = self.commit.binsha
         self.commit_message = self.commit.message
         self.committer = self.commit.committer
-        self.show_files = self.repo.git.show(self.commit, name_only=True, format="%n").splitlines()
+        # Detect changed files in PR/MR context for GitHub, GitLab, Bitbucket; fallback to git show
+        self.show_files = []
+        detected = False
+        # GitHub Actions PR context
+        github_base_ref = os.getenv('GITHUB_BASE_REF')
+        github_head_ref = os.getenv('GITHUB_HEAD_REF')
+        if github_base_ref and github_head_ref:
+            try:
+                self.repo.git.fetch('origin', github_base_ref, github_head_ref)
+                diff_range = f"origin/{github_base_ref}...{self.commit.hexsha}"
+                diff_files = self.repo.git.diff('--name-only', diff_range)
+                self.show_files = diff_files.splitlines()
+                log.debug(f"Changed files detected via git diff (GitHub): {self.show_files}")
+                detected = True
+            except Exception as error:
+                log.debug(f"Failed to get changed files via git diff (GitHub): {error}")
+        # GitLab CI Merge Request context
+        if not detected:
+            gitlab_target = os.getenv('CI_MERGE_REQUEST_TARGET_BRANCH_NAME')
+            gitlab_source = os.getenv('CI_MERGE_REQUEST_SOURCE_BRANCH_NAME')
+            if gitlab_target and gitlab_source:
+                try:
+                    self.repo.git.fetch('origin', gitlab_target, gitlab_source)
+                    diff_range = f"origin/{gitlab_target}...origin/{gitlab_source}"
+                    diff_files = self.repo.git.diff('--name-only', diff_range)
+                    self.show_files = diff_files.splitlines()
+                    log.debug(f"Changed files detected via git diff (GitLab): {self.show_files}")
+                    detected = True
+                except Exception as error:
+                    log.debug(f"Failed to get changed files via git diff (GitLab): {error}")
+        # Bitbucket Pipelines PR context
+        if not detected:
+            bitbucket_pr_id = os.getenv('BITBUCKET_PR_ID')
+            bitbucket_source = os.getenv('BITBUCKET_BRANCH')
+            bitbucket_dest = os.getenv('BITBUCKET_PR_DESTINATION_BRANCH')
+            # BITBUCKET_BRANCH is the source branch in PR builds
+            if bitbucket_pr_id and bitbucket_source and bitbucket_dest:
+                try:
+                    self.repo.git.fetch('origin', bitbucket_dest, bitbucket_source)
+                    diff_range = f"origin/{bitbucket_dest}...origin/{bitbucket_source}"
+                    diff_files = self.repo.git.diff('--name-only', diff_range)
+                    self.show_files = diff_files.splitlines()
+                    log.debug(f"Changed files detected via git diff (Bitbucket): {self.show_files}")
+                    detected = True
+                except Exception as error:
+                    log.debug(f"Failed to get changed files via git diff (Bitbucket): {error}")
+        # Fallback to git show for single commit
+        if not detected:
+            self.show_files = self.repo.git.show(self.commit, name_only=True, format="%n").splitlines()
+            log.debug(f"Changed files detected via git show: {self.show_files}")
         self.changed_files = []
         for item in self.show_files:
             if item != "":