Skip to content

Pull request scanning misses commits beyond 30 #187

New issue
New issue
Open
Open
Pull request scanning misses commits beyond 30#187
@thomastoumpoulis-seon

Description

@thomastoumpoulis-seon
thomastoumpoulis-seon
opened on May 9, 2025

While using gitleaks-action, I ran into a limitation with how commits are scanned during pull request events.

In the ScanPullRequest function, the following GitHub API call is made:

let commits = await octokit.request(
  "GET /repos/{owner}/{repo}/pulls/{pull_number}/commits",
  {
    owner: owner,
    repo: repo,
    pull_number: eventJSON.number,
  }
);

However, this call only retrieves the first 30 commits in the PR because it does not handle pagination (per_page defaults to 30). As a result, pull requests with more than 30 commits are not fully scanned, which could allow secrets to slip through.

Potential improvements

  1. Use pagination:
    The fix could involve using Octokit's pagination helpers to retrieve all commits.

  2. Preferred: Use base and head SHAs from the webhook:
    The pull_request webhook event already provides the pull_request.base.sha and pull_request.head.sha fields.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions