From 0ed44f1c596e840cacc79f072e265714cd503a21 Mon Sep 17 00:00:00 2001
From: Pierre Smeyers <pierre.smeyers@gmail.com>
Date: Tue, 1 Apr 2025 19:41:13 +0200
Subject: [PATCH] fix: analyse branch or MR commits only

- in a branch: only analyse this branch commits
- in a MR: only analyse commits withing the MR
---
 templates/gitlab-ci-gitleaks.yml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/templates/gitlab-ci-gitleaks.yml b/templates/gitlab-ci-gitleaks.yml
index 71a16dc..8cc0e3b 100644
--- a/templates/gitlab-ci-gitleaks.yml
+++ b/templates/gitlab-ci-gitleaks.yml
@@ -233,7 +233,17 @@ gitleaks:
     - install_gitleaks_rules
     - git config --global --add safe.directory "${CI_PROJECT_DIR}"
   script:
-    - gitleaks git ${TRACE+--log-level debug} $gitleaks_rule_opts --report-path reports/gitleaks.native.json $GITLEAKS_ARGS .
+    - |
+      log_opts=""
+      if [[ "$CI_MERGE_REQUEST_DIFF_BASE_SHA" ]]
+      then
+        log_info "Merge Request only analysis (\\e[33;1m${CI_MERGE_REQUEST_DIFF_BASE_SHA}..${CI_COMMIT_SHA}\\e[0m)"
+        log_opts="${CI_MERGE_REQUEST_DIFF_BASE_SHA}..${CI_COMMIT_SHA}"
+      else
+        log_info "Full branch analysis (\\e[33;1m${CI_COMMIT_SHA}\\e[0m and ancestors)"
+        log_opts="${CI_COMMIT_SHA}"
+      fi
+    - gitleaks git ${TRACE+--log-level debug} $gitleaks_rule_opts --log-opts "$log_opts" --report-path reports/gitleaks.native.json $GITLEAKS_ARGS .
   artifacts:
     name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
     when: always
-- 
GitLab