From 97956bcc3fff56339eae5e3c75f81f6fba0fb6ff Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Fri, 8 Aug 2025 15:11:36 -0700 Subject: [PATCH 1/3] GitLab: include nested subgroup projects when enumerating group repositories --- CHANGELOG.md | 3 +++ Cargo.toml | 2 +- src/cli/commands/inputs.rs | 2 +- src/gitlab.rs | 4 +++- 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d6bc09d..44c6f4c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ All notable changes to this project will be documented in this file. +## [1.37.0] +- GitLab: include nested subgroup projects when enumerating group repositories + ## [1.36.0] - Fixed GitHub organization and GitLab group scans when using `--git-history=none` - JWT tokens without both `iss` and `aud` are no longer reported as active credentials diff --git a/Cargo.toml b/Cargo.toml index 4114e10..aec70d4 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -10,7 +10,7 @@ publish = false [package] name = "kingfisher" -version = "1.36.0" +version = "1.37.0" description = "MongoDB's blazingly fast secret scanning and validation tool" edition.workspace = true rust-version.workspace = true diff --git a/src/cli/commands/inputs.rs b/src/cli/commands/inputs.rs index 2249640..13bc78b 100644 --- a/src/cli/commands/inputs.rs +++ b/src/cli/commands/inputs.rs @@ -85,7 +85,7 @@ pub struct InputSpecifierArgs { )] pub gitlab_api_url: Url, - #[arg(long, default_value_t = GitLabRepoType::All)] + #[arg(long, default_value_t = GitLabRepoType::Owner)] pub gitlab_repo_type: GitLabRepoType, /// Jira base URL (e.g. https://jira.example.com) diff --git a/src/gitlab.rs b/src/gitlab.rs index f5b6ee3..dc0915a 100644 --- a/src/gitlab.rs +++ b/src/gitlab.rs @@ -100,7 +100,7 @@ pub async fn enumerate_repo_urls( builder.membership(true); } RepoType::All => { - // nothing + // this doesn’t set any owned() or membership() flags on the builder, which in GitLab’s API defaults to "all visible repos" } } @@ -137,6 +137,8 @@ pub async fn enumerate_repo_urls( for group in groups { let mut gp_builder = GroupProjects::builder(); gp_builder.group(group.id); + // Ensure projects from nested subgroups are also enumerated + gp_builder.include_subgroups(true); if matches!(repo_specifiers.repo_filter, RepoType::Owner) { gp_builder.owned(true); From 96a08ed8ede9fc41f5a3ae0966034937745aaae0 Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Fri, 8 Aug 2025 15:11:44 -0700 Subject: [PATCH 2/3] GitLab: include nested subgroup projects when enumerating group repositories --- src/gitlab.rs | 2 +- tests/int_rules_no_validated_findings.rs | 6 +----- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/src/gitlab.rs b/src/gitlab.rs index dc0915a..c0a85e2 100644 --- a/src/gitlab.rs +++ b/src/gitlab.rs @@ -103,7 +103,7 @@ pub async fn enumerate_repo_urls( // this doesn’t set any owned() or membership() flags on the builder, which in GitLab’s API defaults to "all visible repos" } } - + // Extract the builder to a separate variable to avoid borrowing a temporary, // allowing us to modify its fields before building the endpoint. let projects_ep = builder.build()?; diff --git a/tests/int_rules_no_validated_findings.rs b/tests/int_rules_no_validated_findings.rs index a6d171d..01a6ad9 100644 --- a/tests/int_rules_no_validated_findings.rs +++ b/tests/int_rules_no_validated_findings.rs @@ -61,11 +61,7 @@ fn scan_rules_has_no_validated_findings() -> Result<()> { } // Fail only on genuinely validated secrets - assert_ne!( - &status, - "active credential", - "Validated finding detected in rule {rule_id}" - ); + assert_ne!(&status, "active credential", "Validated finding detected in rule {rule_id}"); } Ok(()) From b0ce44f7092f2aa3f5b56d8a0a6d38dca41b876e Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Fri, 8 Aug 2025 15:12:33 -0700 Subject: [PATCH 3/3] GitLab: include nested subgroup projects when enumerating group repositories --- src/cli/commands/inputs.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cli/commands/inputs.rs b/src/cli/commands/inputs.rs index 13bc78b..2249640 100644 --- a/src/cli/commands/inputs.rs +++ b/src/cli/commands/inputs.rs @@ -85,7 +85,7 @@ pub struct InputSpecifierArgs { )] pub gitlab_api_url: Url, - #[arg(long, default_value_t = GitLabRepoType::Owner)] + #[arg(long, default_value_t = GitLabRepoType::All)] pub gitlab_repo_type: GitLabRepoType, /// Jira base URL (e.g. https://jira.example.com)