Merge remote-tracking branch 'upstream/main'

Author: amitmoskovitz

.github/workflows/docker-image.yml

@@ -64,6 +64,7 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Login to Docker Hub
+        if: ${{ github.event_name == 'workflow_dispatch' || startsWith(github.ref, 'refs/tags/v') }}
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USER }}

Dockerfile

@@ -1,6 +1,6 @@
 FROM python:3.12.9-alpine3.21 AS base
 WORKDIR /usr/cycode/app
-RUN apk add git=2.47.2-r0
+RUN apk add git=2.47.3-r0
 
 FROM base AS builder
 ENV POETRY_VERSION=1.8.3

README.md

@@ -35,7 +35,7 @@ This guide walks you through both installation and usage.
         3. [Path Scan](#path-scan)
             1. [Terraform Plan Scan](#terraform-plan-scan)
         4. [Commit History Scan](#commit-history-scan)
-            1. [Commit Range Option](#commit-range-option)
+            1. [Commit Range Option (Diff Scanning)](#commit-range-option-diff-scanning)
         5. [Pre-Commit Scan](#pre-commit-scan)
     2. [Scan Results](#scan-results)
         1. [Show/Hide Secrets](#showhide-secrets)
@@ -538,25 +538,26 @@ This information can be helpful when:
 
 The Cycode CLI application offers several types of scans so that you can choose the option that best fits your case. The following are the current options and commands available:
 
-| Option                                                     | Description                                                                                                            |
-|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|
-| `-t, --scan-type [secret\|iac\|sca\|sast]`                 | Specify the scan you wish to execute (`secret`/`iac`/`sca`/`sast`), the default is `secret`.                           |
-| `--show-secret BOOLEAN`                                    | Show secrets in plain text. See [Show/Hide Secrets](#showhide-secrets) section for more details.                       |
-| `--soft-fail BOOLEAN`                                      | Run scan without failing, always return a non-error status code. See [Soft Fail](#soft-fail) section for more details. |
-| `--severity-threshold [INFO\|LOW\|MEDIUM\|HIGH\|CRITICAL]` | Show only violations at the specified level or higher.                                                                 |
-| `--sca-scan`                                               | Specify the SCA scan you wish to execute (`package-vulnerabilities`/`license-compliance`). The default is both.        |
-| `--monitor`                                                | When specified, the scan results will be recorded in Cycode.                                                           |
-| `--cycode-report`                                          | Display a link to the scan report in the Cycode platform in the console output.                                        |
-| `--no-restore`                                             | When specified, Cycode will not run the restore command. This will scan direct dependencies ONLY!                      |
-| `--gradle-all-sub-projects`                                | Run gradle restore command for all sub projects. This should be run from the project root directory ONLY!              |
-| `--help`                                                   | Show options for given command.                                                                                        |
-
-| Command                                | Description                                                     |
-|----------------------------------------|-----------------------------------------------------------------|
-| [commit-history](#commit-history-scan) | Scan all the commits history in this git repository             |
-| [path](#path-scan)                     | Scan the files in the path supplied in the command              |
-| [pre-commit](#pre-commit-scan)         | Use this command to scan the content that was not committed yet |
-| [repository](#repository-scan)         | Scan git repository including its history                       |
+| Option                                                     | Description                                                                                                                      |
+|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------|
+| `-t, --scan-type [secret\|iac\|sca\|sast]`                 | Specify the scan you wish to execute (`secret`/`iac`/`sca`/`sast`), the default is `secret`.                                     |
+| `--show-secret BOOLEAN`                                    | Show secrets in plain text. See [Show/Hide Secrets](#showhide-secrets) section for more details.                                 |
+| `--soft-fail BOOLEAN`                                      | Run scan without failing, always return a non-error status code. See [Soft Fail](#soft-fail) section for more details.           |
+| `--severity-threshold [INFO\|LOW\|MEDIUM\|HIGH\|CRITICAL]` | Show only violations at the specified level or higher.                                                                           |
+| `--sca-scan`                                               | Specify the SCA scan you wish to execute (`package-vulnerabilities`/`license-compliance`). The default is both.                  |
+| `--monitor`                                                | When specified, the scan results will be recorded in Cycode.                                                                     |
+| `--cycode-report`                                          | Display a link to the scan report in the Cycode platform in the console output.                                                  |
+| `--no-restore`                                             | When specified, Cycode will not run the restore command. This will scan direct dependencies ONLY!                                |
+| `--gradle-all-sub-projects`                                | Run gradle restore command for all sub projects. This should be run from                                                         |
+| `--maven-settings-file`                                    | For Maven only, allows using a custom [settings.xml](https://maven.apache.org/settings.html) file when scanning for dependencies |
+| `--help`                                                   | Show options for given command.                                                                                                  |
+
+| Command                                | Description                                                           |
+|----------------------------------------|-----------------------------------------------------------------------|
+| [commit-history](#commit-history-scan) | Scan commit history or perform diff scanning between specific commits |
+| [path](#path-scan)                     | Scan the files in the path supplied in the command                    |
+| [pre-commit](#pre-commit-scan)         | Use this command to scan the content that was not committed yet       |
+| [repository](#repository-scan)         | Scan git repository including its history                             |
 
 ### Options
 
@@ -700,9 +701,16 @@ If you just have a configuration file, you can generate a plan by doing the foll
 ### Commit History Scan
 
 > [!NOTE]
-> Secrets scanning analyzes all commits in the repository history because secrets introduced and later removed can still be leaked or exposed. SCA and SAST scanning focus only on the latest code state and the changes between branches or pull requests. Full commit history scanning is not performed for SCA and SAST.
+> Commit History Scan is not available for IaC scans.
 
-A commit history scan is limited to a local repository’s previous commits, focused on finding any secrets within the commit history, instead of examining the repository’s current state.
+The commit history scan command provides two main capabilities:
+
+1. **Full History Scanning**: Analyze all commits in the repository history
+2. **Diff Scanning**: Scan only the changes between specific commits
+
+Secrets scanning can analyze all commits in the repository history because secrets introduced and later removed can still be leaked or exposed. For SCA and SAST scans, the commit history command focuses on scanning the differences/changes between commits, making it perfect for pull request reviews and incremental scanning.
+
+A commit history scan examines your Git repository's commit history and can be used both for comprehensive historical analysis and targeted diff scanning of specific changes.
 
 To execute a commit history scan, execute the following:
 
@@ -718,13 +726,55 @@ The following options are available for use with this command:
 |---------------------------|----------------------------------------------------------------------------------------------------------|
 | `-r, --commit-range TEXT` | Scan a commit range in this git repository, by default cycode scans all commit history (example: HEAD~1) |
 
-#### Commit Range Option
+#### Commit Range Option (Diff Scanning)
+
+The commit range option enables **diff scanning** – scanning only the changes between specific commits instead of the entire repository history. 
+This is particularly useful for:
+- **Pull request validation**: Scan only the changes introduced in a PR
+- **Incremental CI/CD scanning**: Focus on recent changes rather than the entire codebase  
+- **Feature branch review**: Compare changes against main/master branch
+- **Performance optimization**: Faster scans by limiting scope to relevant changes
+
+#### Commit Range Syntax
+
+The `--commit-range` (`-r`) option supports standard Git revision syntax:
+
+| Syntax              | Description                       | Example                 |
+|---------------------|-----------------------------------|-------------------------|
+| `commit1..commit2`  | Changes from commit1 to commit2   | `abc123..def456`        |
+| `commit1...commit2` | Changes in commit2 not in commit1 | `main...feature-branch` |
+| `commit`            | Changes from commit to HEAD       | `HEAD~1`                |
+| `branch1..branch2`  | Changes from branch1 to branch2   | `main..feature-branch`  |
+
+#### Diff Scanning Examples
+
+**Scan changes in the last commit:**
+```bash
+cycode scan commit-history -r HEAD~1 ~/home/git/codebase
+```
+
+**Scan changes between two specific commits:**
+```bash
+cycode scan commit-history -r abc123..def456 ~/home/git/codebase
+```
 
-The commit history scan, by default, examines the repository’s entire commit history, all the way back to the initial commit. You can instead limit the scan to a specific commit range by adding the argument `--commit-range` (`-r`) followed by the name you specify.
+**Scan changes in your feature branch compared to main:**
+```bash
+cycode scan commit-history -r main..HEAD ~/home/git/codebase
+```
 
-Consider the previous example. If you wanted to scan only specific commits in your repository, you could execute the following:
+**Scan changes between main and a feature branch:**
+```bash
+cycode scan commit-history -r main..feature-branch ~/home/git/codebase
+```
 
-`cycode scan commit-history -r {{from-commit-id}}...{{to-commit-id}} ~/home/git/codebase`
+**Scan all changes in the last 3 commits:**
+```bash
+cycode scan commit-history -r HEAD~3..HEAD ~/home/git/codebase
+```
+
+> [!TIP]
+> For CI/CD pipelines, you can use environment variables like `${{ github.event.pull_request.base.sha }}..${{ github.sha }}` (GitHub Actions) or `$CI_MERGE_REQUEST_TARGET_BRANCH_SHA..$CI_COMMIT_SHA` (GitLab CI) to scan only PR/MR changes.
 
 ### Pre-Commit Scan
 

cycode/cli/apps/scan/__init__.py

@@ -20,7 +20,7 @@
 
 app.command(name='path', short_help='Scan the files in the paths provided in the command.')(path_command)
 app.command(name='repository', short_help='Scan the Git repository included files.')(repository_command)
-app.command(name='commit-history', short_help='Scan all the commits history in this Git repository.')(
+app.command(name='commit-history', short_help='Scan commit history or perform diff scanning between specific commits.')(
     commit_history_command
 )
 app.command(

cycode/cli/apps/scan/remote_url_resolver.py

@@ -99,17 +99,46 @@ def _try_to_get_plastic_remote_url(path: str) -> Optional[str]:
 
 def _try_get_git_remote_url(path: str) -> Optional[str]:
     try:
-        remote_url = git_proxy.get_repo(path).remotes[0].config_reader.get('url')
-        logger.debug('Found Git remote URL, %s', {'remote_url': remote_url, 'path': path})
+        repo = git_proxy.get_repo(path, search_parent_directories=True)
+        remote_url = repo.remotes[0].config_reader.get('url')
+        logger.debug('Found Git remote URL, %s', {'remote_url': remote_url, 'repo_path': repo.working_dir})
         return remote_url
-    except Exception:
-        logger.debug('Failed to get Git remote URL. Probably not a Git repository')
+    except Exception as e:
+        logger.debug('Failed to get Git remote URL. Probably not a Git repository', exc_info=e)
         return None
 
 
-def try_get_any_remote_url(path: str) -> Optional[str]:
+def _try_get_any_remote_url(path: str) -> Optional[str]:
     remote_url = _try_get_git_remote_url(path)
     if not remote_url:
         remote_url = _try_to_get_plastic_remote_url(path)
 
     return remote_url
+
+
+def get_remote_url_scan_parameter(paths: tuple[str, ...]) -> Optional[str]:
+    remote_urls = set()
+    for path in paths:
+        # FIXME(MarshalX): perf issue. This looping will produce:
+        #  - len(paths) Git subprocess calls in the worst case
+        #  - len(paths)*2 Plastic SCM subprocess calls
+        remote_url = _try_get_any_remote_url(path)
+        if remote_url:
+            remote_urls.add(remote_url)
+
+    if len(remote_urls) == 1:
+        # we are resolving remote_url only if all paths belong to the same repo (identical remote URLs),
+        # otherwise, the behavior is undefined
+        remote_url = remote_urls.pop()
+
+        logger.debug(
+            'Single remote URL found. Scan will be associated with organization, %s', {'remote_url': remote_url}
+        )
+        return remote_url
+
+    logger.debug(
+        'Multiple different remote URLs found. Scan will not be associated with organization, %s',
+        {'remote_urls': remote_urls},
+    )
+
+    return None

cycode/cli/apps/scan/scan_command.py

@@ -88,6 +88,16 @@ def scan_command(
             rich_help_panel=_SCA_RICH_HELP_PANEL,
         ),
     ] = False,
+    maven_settings_file: Annotated[
+        Optional[Path],
+        typer.Option(
+            '--maven-settings-file',
+            show_default=False,
+            help='When specified, Cycode will use this settings.xml file when building the maven dependency tree.',
+            dir_okay=False,
+            rich_help_panel=_SCA_RICH_HELP_PANEL,
+        ),
+    ] = None,
     export_type: Annotated[
         ExportTypeOption,
         typer.Option(
@@ -143,7 +153,10 @@ def scan_command(
     ctx.obj['sync'] = sync
     ctx.obj['severity_threshold'] = severity_threshold
     ctx.obj['monitor'] = monitor
+    ctx.obj['maven_settings_file'] = maven_settings_file
     ctx.obj['report'] = report
+    ctx.obj['gradle_all_sub_projects'] = gradle_all_sub_projects
+    ctx.obj['no_restore'] = no_restore
 
     scan_client = get_scan_cycode_client(ctx)
     ctx.obj['client'] = scan_client
@@ -156,8 +169,6 @@ def scan_command(
         console_printer = ctx.obj['console_printer']
         console_printer.enable_recording(export_type, export_file)
 
-    _ = no_restore, gradle_all_sub_projects  # they are actually used; via ctx.params
-
     _sca_scan_to_context(ctx, sca_scan)
 
 

cycode/cli/apps/scan/scan_parameters.py

@@ -1,9 +1,8 @@
-import os
 from typing import Optional
 
 import typer
 
-from cycode.cli.apps.scan.remote_url_resolver import try_get_any_remote_url
+from cycode.cli.apps.scan.remote_url_resolver import get_remote_url_scan_parameter
 from cycode.cli.utils.scan_utils import generate_unique_scan_id
 from cycode.logger import get_logger
 
@@ -29,18 +28,9 @@ def get_scan_parameters(ctx: typer.Context, paths: Optional[tuple[str, ...]] = N
 
     scan_parameters['paths'] = paths
 
-    if len(paths) != 1:
-        logger.debug('Multiple paths provided, going to ignore remote url')
-        return scan_parameters
-
-    if not os.path.isdir(paths[0]):
-        logger.debug('Path is not a directory, going to ignore remote url')
-        return scan_parameters
-
-    remote_url = try_get_any_remote_url(paths[0])
-    if remote_url:
-        # TODO(MarshalX): remove hardcode in context
-        ctx.obj['remote_url'] = remote_url
-        scan_parameters['remote_url'] = remote_url
+    remote_url = get_remote_url_scan_parameter(paths)
+    # TODO(MarshalX): remove hardcode in context
+    ctx.obj['remote_url'] = remote_url
+    scan_parameters['remote_url'] = remote_url
 
     return scan_parameters

cycode/cli/consts.py

@@ -72,6 +72,9 @@
     'package.json',
     'package-lock.json',
     'yarn.lock',
+    'deno.lock',
+    'deno.json',
+    'pnpm-lock.yaml',
     'npm-shrinkwrap.json',
     'packages.config',
     'project.assets.json',
@@ -102,7 +105,7 @@
     'conan.lock',
 )
 
-SCA_EXCLUDED_PATHS = (
+SCA_EXCLUDED_FOLDER_IN_PATH = (
     'node_modules',
     'venv',
     '.venv',
@@ -126,7 +129,16 @@
     'go': ['go.sum', 'go.mod', 'go.mod.graph', 'Gopkg.lock'],
     'maven_pom': ['pom.xml'],
     'maven_gradle': ['build.gradle', 'build.gradle.kts', 'gradle.lockfile'],
-    'npm': ['package.json', 'package-lock.json', 'yarn.lock', 'npm-shrinkwrap.json', '.npmrc'],
+    'npm': [
+        'package.json',
+        'package-lock.json',
+        'yarn.lock',
+        'npm-shrinkwrap.json',
+        '.npmrc',
+        'pnpm-lock.yaml',
+        'deno.lock',
+        'deno.json',
+    ],
     'nuget': ['packages.config', 'project.assets.json', 'packages.lock.json', 'nuget.config'],
     'ruby_gems': ['Gemfile', 'Gemfile.lock'],
     'sbt': ['build.sbt', 'build.scala', 'build.sbt.lock'],
@@ -268,10 +280,6 @@
 # Result: A -> ... -> C
 SCA_SHORTCUT_DEPENDENCY_PATHS = 2
 
-SCA_SKIP_RESTORE_DEPENDENCIES_FLAG = 'no-restore'
-
-SCA_GRADLE_ALL_SUB_PROJECTS_FLAG = 'gradle-all-sub-projects'
-
 PLASTIC_VCS_DATA_SEPARATOR = ':::'
 PLASTIC_VSC_CLI_TIMEOUT = 10
 PLASTIC_VCS_REMOTE_URI_PREFIX = 'plastic::'

cycode/cli/files_collector/commit_range_documents.py

@@ -193,7 +193,10 @@ def get_diff_file_path(diff: 'Diff', relative: bool = False) -> Optional[str]:
 
     if diff.b_blob:
         return diff.b_blob.abspath
-    return diff.a_blob.abspath
+    if diff.a_blob:
+        return diff.a_blob.abspath
+
+    return None
 
 
 def get_diff_file_content(diff: 'Diff') -> str:

cycode/cli/files_collector/file_excluder.py

@@ -1,3 +1,4 @@
+from pathlib import Path
 from typing import TYPE_CHECKING
 
 from cycode.cli import consts
@@ -40,11 +41,13 @@ def _does_document_exceed_max_size_limit(content: str) -> bool:
 
 
 def _is_file_relevant_for_sca_scan(filename: str) -> bool:
-    if any(sca_excluded_path in filename for sca_excluded_path in consts.SCA_EXCLUDED_PATHS):
-        logger.debug(
-            'The file is irrelevant because it is from the inner path of node_modules, %s', {'filename': filename}
-        )
-        return False
+    for part in Path(filename).parts:
+        if part in consts.SCA_EXCLUDED_FOLDER_IN_PATH:
+            logger.debug(
+                'The file is irrelevant because it is from an excluded directory, %s',
+                {'filename': filename, 'excluded_directory': part},
+            )
+            return False
 
     return True