feat: replace "skip-git" with "include-git", making git repository scanning not the default

G-Rath · G-Rath · commit c1409f3f5a22 · 2024-10-22T13:17:13.000+13:00
BREAKING CHANGE: don't scan git repositories by default, replacing "--skip-git" with "--include-git"
diff --git a/.github/workflows/osv-scanner-reusable-pr.yml b/.github/workflows/osv-scanner-reusable-pr.yml
@@ -26,7 +26,6 @@ on:
         type: string
         default: |-
           -r
-          --skip-git
           ./
       results-file-name:
         description: "File name of the result SARIF file"
diff --git a/.github/workflows/osv-scanner-reusable.yml b/.github/workflows/osv-scanner-reusable.yml
@@ -26,7 +26,6 @@ on:
         type: string
         default: |-
           -r
-          --skip-git
           ./
       results-file-name:
         description: "File name of the result SARIF file"
diff --git a/.github/workflows/osv-scanner-unified-action.yml b/.github/workflows/osv-scanner-unified-action.yml
@@ -38,7 +38,6 @@ jobs:
     with:
       # Just scan the root directory and docs, since everything else is fixtures
       scan-args: |-
-        --skip-git
         ./
         ./docs/
   scan-pr:
@@ -52,6 +51,5 @@ jobs:
     with:
       # Just scan the root directory and docs, since everything else is fixtures
       scan-args: |-
-        --skip-git
         ./
         ./docs/
diff --git a/.github/workflows/prerelease-check.yml b/.github/workflows/prerelease-check.yml
@@ -27,7 +27,6 @@ jobs:
       # Only scan the top level go.mod file without recursively scanning directories since
       # this is pipeline is about releasing the go module and binary
       scan-args: |-
-        --skip-git
         ./
 
   format:
diff --git a/actions/scanner/action.yml b/actions/scanner/action.yml
@@ -5,7 +5,6 @@ inputs:
   scan-args:
     description: "Arguments to osv-scanner, separated by new line"
     default: |-
-      --skip-git
       --recursive
       ./
 runs:
diff --git a/cmd/osv-scanner/scan/main.go b/cmd/osv-scanner/scan/main.go
@@ -74,8 +74,8 @@ func Command(stdout, stderr io.Writer, r *reporter.Reporter) *cli.Command {
 				TakesFile: true,
 			},
 			&cli.BoolFlag{
-				Name:  "skip-git",
-				Usage: "skip scanning git repositories",
+				Name:  "include-git",
+				Usage: "include scanning git repositories",
 				Value: false,
 			},
 			&cli.BoolFlag{
@@ -226,7 +226,7 @@ func action(context *cli.Context, stdout, stderr io.Writer) (reporter.Reporter,
 		SBOMPaths:            context.StringSlice("sbom"),
 		DockerContainerNames: context.StringSlice("docker"),
 		Recursive:            context.Bool("recursive"),
-		SkipGit:              context.Bool("skip-git"),
+		IncludeGit:           context.Bool("include-git"),
 		NoIgnore:             context.Bool("no-ignore"),
 		ConfigOverridePath:   context.String("config"),
 		DirectoryPaths:       context.Args().Slice(),
diff --git a/docs/github-action.md b/docs/github-action.md
@@ -138,7 +138,6 @@ jobs:
       # Only scan the top level go.mod file without recursively scanning directories since
       # this is pipeline is about releasing the go module and binary
       scan-args: |-
-        --skip-git
         ./
     permissions:
       # Require writing security events to upload SARIF file to security tab
@@ -167,7 +166,6 @@ The GitHub Actions have the following optional inputs:
   Default:
   ```bash
     --recursive # Recursively scan subdirectories
-    --skip-git=true # Skip commit scanning to focus on dependencies
     ./ # Start the scan from the root of the repository
   ```
 - `results-file-name`: This is the name of the final SARIF file uploaded to Github.
@@ -202,7 +200,6 @@ jobs:
     with:
       scan-args: |-
         --recursive
-        --skip-git=true
         ./
 ```
 
diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go
@@ -42,7 +42,7 @@ type ScannerActions struct {
 	DirectoryPaths       []string
 	GitCommits           []string
 	Recursive            bool
-	SkipGit              bool
+	IncludeGit           bool
 	NoIgnore             bool
 	DockerContainerNames []string
 	ConfigOverridePath   string
@@ -114,7 +114,7 @@ const (
 //   - Any lockfiles with scanLockfile
 //   - Any SBOM files with scanSBOMFile
 //   - Any git repositories with scanGit
-func scanDir(r reporter.Reporter, dir string, skipGit bool, recursive bool, useGitIgnore bool, compareOffline bool, transitiveAct TransitiveScanningActions) ([]scannedPackage, error) {
+func scanDir(r reporter.Reporter, dir string, includeGit bool, recursive bool, useGitIgnore bool, compareOffline bool, transitiveAct TransitiveScanningActions) ([]scannedPackage, error) {
 	var ignoreMatcher *gitIgnoreMatcher
 	if useGitIgnore {
 		var err error
@@ -158,7 +158,7 @@ func scanDir(r reporter.Reporter, dir string, skipGit bool, recursive bool, useG
 			}
 		}
 
-		if !skipGit && info.IsDir() && info.Name() == ".git" {
+		if includeGit && info.IsDir() && info.Name() == ".git" {
 			pkgs, err := scanGit(r, filepath.Dir(path)+"/")
 			if err != nil {
 				r.Infof("scan failed for git repository, %s: %v\n", path, err)
@@ -857,7 +857,7 @@ func DoScan(actions ScannerActions, r reporter.Reporter) (models.VulnerabilityRe
 	}
 
 	if actions.CompareOffline {
-		actions.SkipGit = true
+		actions.IncludeGit = false
 
 		if len(actions.ScanLicensesAllowlist) > 0 || actions.ScanLicensesSummary {
 			return models.VulnerabilityResults{}, errors.New("cannot retrieve licenses locally")
@@ -932,7 +932,7 @@ func DoScan(actions ScannerActions, r reporter.Reporter) (models.VulnerabilityRe
 
 	for _, dir := range actions.DirectoryPaths {
 		r.Infof("Scanning dir %s\n", dir)
-		pkgs, err := scanDir(r, dir, actions.SkipGit, actions.Recursive, !actions.NoIgnore, actions.CompareOffline, actions.TransitiveScanningActions)
+		pkgs, err := scanDir(r, dir, actions.IncludeGit, actions.Recursive, !actions.NoIgnore, actions.CompareOffline, actions.TransitiveScanningActions)
 		if err != nil {
 			return models.VulnerabilityResults{}, err
 		}
