Merge pull request #82 from mongodb/development

v1.37.0
2025-08-08 16:29:21 -07:00 · 2025-08-08 16:29:21 -07:00 · 1945fe1f47
commit 1945fe1f47
parent 99ec238411 b0ce44f709
4 changed files with 9 additions and 8 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,9 @@

 All notable changes to this project will be documented in this file.

+## [1.37.0]
+- GitLab: include nested subgroup projects when enumerating group repositories
+
 ## [1.36.0]
 - Fixed GitHub organization and GitLab group scans when using `--git-history=none`
 - JWT tokens without both `iss` and `aud` are no longer reported as active credentials
--- a/Cargo.toml
+++ b/Cargo.toml
@ -10,7 +10,7 @@ publish = false

 [package]
 name = "kingfisher"
-version = "1.36.0"
+version = "1.37.0"
 description = "MongoDB's blazingly fast secret scanning and validation tool"
 edition.workspace = true
 rust-version.workspace = true
--- a/src/gitlab.rs
+++ b/src/gitlab.rs
@ -100,10 +100,10 @@ pub async fn enumerate_repo_urls(
                builder.membership(true);
            }
            RepoType::All => {
-                // nothing
+                //  this doesn’t set any owned() or membership() flags on the builder, which in GitLab’s API defaults to "all visible repos"
            }
        }
-        
+
        // Extract the builder to a separate variable to avoid borrowing a temporary,
        // allowing us to modify its fields before building the endpoint.
        let projects_ep = builder.build()?;
@ -137,6 +137,8 @@ pub async fn enumerate_repo_urls(
    for group in groups {
        let mut gp_builder = GroupProjects::builder();
        gp_builder.group(group.id);
+        // Ensure projects from nested subgroups are also enumerated
+        gp_builder.include_subgroups(true);

        if matches!(repo_specifiers.repo_filter, RepoType::Owner) {
            gp_builder.owned(true);
--- a/tests/int_rules_no_validated_findings.rs
+++ b/tests/int_rules_no_validated_findings.rs
@ -61,11 +61,7 @@ fn scan_rules_has_no_validated_findings() -> Result<()> {
        }

        // Fail only on genuinely validated secrets
-        assert_ne!(
-            &status,
-            "active credential",
-            "Validated finding detected in rule {rule_id}"
-        );
+        assert_ne!(&status, "active credential", "Validated finding detected in rule {rule_id}");
    }

    Ok(())