Does noseyparker scan ALL commits, or can we just scan main?

[munntjlx]

When noseyparker scans, does it read ALL secrets in all commits? If so, how do I limit to a particular commit or 'main'.

[bradlarsen]

@munntjlx Yes, in its current incarnation (v0.14.0 and the latest unreleased bit on main), all found Git history is scanned. There is not a nice built-in way to change this behavior at present.

There is a workaround you could use today: use git archive to export just the files from a desired commit to a directory tree (sans a .git directory), and have Nosey Parker scan that. For example:

$ git archive $COMMIT_SHA_OF_INTEREST -o out.tar
$ mkdir extracted && tar -C extracted -xf out.tar
$ noseyparker scan ...options... extracted

If this is done just so, there will be no .git directory in the input, no Git history to be found, and only the directory of checked-out files from $COMMIT_SHA_OF_INTEREST will be scanned. (Yeah, this is cumbersome and manual. But it's a workaround.)

I have a bunch of stuff in an internal version of Nosey Parker that I'll be merging back here. The ability to ignore Git history entirely will be added in the next Nosey Parker release. Also, I plan to add an option to request scanning only the HEAD commit in a future release.

[munntjlx]

Great answer. Thanks for the info!

[munntjlx]

Quick way to get the 'current' hash commit of 'main' is to use the following command:
set ARCHIVE=$(cat .git/refs/heads/main

[munntjlx]

Update: 0.15 adds this:

The scan command now supports a new --git-history={full,none} parameter to control whether encountered Git history will be scanned. This defaults to full, but specifying a value of none will cause Git history to be ignored.

[bradlarsen]

Yes, using --git-history=none will cause only regular files — not git history — to be scanned.

One rough edge with this new option is that if you use Nosey Parker's built-in support for cloning Git repositories (like --git-url SOME_GIT_REPO), nothing useful will be scanned. This is because Nosey Parker uses "bare" or "mirror" cloning mode when it fetches a Git repo; neither of those give you a working copy, but rather, just the history, so there are no "regular" files to scan.