cycode 3.4.1.dev5__tar.gz → 3.4.2.dev1__tar.gz

{cycode-3.4.1.dev5 → cycode-3.4.2.dev1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: cycode
-Version: 3.4.1.dev5
+Version: 3.4.2.dev1
 Summary: Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning.
 Home-page: https://github.com/cycodehq/cycode-cli
 License: MIT
@@ -277,7 +277,7 @@ Perform the following steps to install the pre-commit hook:
     ```yaml
     repos:
       - repo: https://github.com/cycodehq/cycode-cli
-        rev: v3.2.0
+        rev: v3.4.2
         hooks:
           - id: cycode
             stages:
@@ -289,7 +289,7 @@ Perform the following steps to install the pre-commit hook:
     ```yaml
     repos:
       - repo: https://github.com/cycodehq/cycode-cli
-        rev: v3.2.0
+        rev: v3.4.2
         hooks:
           - id: cycode
             stages:

{cycode-3.4.1.dev5 → cycode-3.4.2.dev1}/README.md

@@ -233,7 +233,7 @@ Perform the following steps to install the pre-commit hook:
     ```yaml
     repos:
       - repo: https://github.com/cycodehq/cycode-cli
-        rev: v3.2.0
+        rev: v3.4.2
         hooks:
           - id: cycode
             stages:
@@ -245,7 +245,7 @@ Perform the following steps to install the pre-commit hook:
     ```yaml
     repos:
       - repo: https://github.com/cycodehq/cycode-cli
-        rev: v3.2.0
+        rev: v3.4.2
         hooks:
           - id: cycode
             stages:

cycode-3.4.2.dev1/cycode/__init__.py

@@ -0,0 +1 @@
+__version__ = '3.4.2.dev1'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag

{cycode-3.4.1.dev5 → cycode-3.4.2.dev1}/cycode/cli/apps/scan/commit_range_scanner.py

@@ -25,6 +25,7 @@ from cycode.cli.files_collector.commit_range_documents import (
     get_diff_file_content,
     get_diff_file_path,
     get_pre_commit_modified_documents,
+    get_safe_head_reference_for_diff,
     parse_commit_range_sast,
     parse_commit_range_sca,
 )
@@ -271,7 +272,9 @@ def _scan_sca_pre_commit(ctx: typer.Context, repo_path: str) -> None:
 
 def _scan_secret_pre_commit(ctx: typer.Context, repo_path: str) -> None:
     progress_bar = ctx.obj['progress_bar']
-    diff_index = git_proxy.get_repo(repo_path).index.diff(consts.GIT_HEAD_COMMIT_REV, create_patch=True, R=True)
+    repo = git_proxy.get_repo(repo_path)
+    head_reference = get_safe_head_reference_for_diff(repo)
+    diff_index = repo.index.diff(head_reference, create_patch=True, R=True)
 
     progress_bar.set_section_length(ScanProgressBarSection.PREPARE_LOCAL_FILES, len(diff_index))
 
@@ -279,7 +282,11 @@ def _scan_secret_pre_commit(ctx: typer.Context, repo_path: str) -> None:
     for diff in diff_index:
         progress_bar.update(ScanProgressBarSection.PREPARE_LOCAL_FILES)
         documents_to_scan.append(
-            Document(get_path_by_os(get_diff_file_path(diff)), get_diff_file_content(diff), is_git_diff_format=True)
+            Document(
+                get_path_by_os(get_diff_file_path(diff, repo=repo)),
+                get_diff_file_content(diff),
+                is_git_diff_format=True,
+            )
         )
     documents_to_scan = excluder.exclude_irrelevant_documents_to_scan(consts.SECRET_SCAN_TYPE, documents_to_scan)
 

{cycode-3.4.1.dev5 → cycode-3.4.2.dev1}/cycode/cli/consts.py

@@ -261,6 +261,7 @@ SCAN_STATUS_ERROR = 'Error'
 # git consts
 COMMIT_DIFF_DELETED_FILE_CHANGE_TYPE = 'D'
 GIT_HEAD_COMMIT_REV = 'HEAD'
+GIT_EMPTY_TREE_OBJECT = '4b825dc642cb6eb9a060e54bf8d69288fbee4904'
 EMPTY_COMMIT_SHA = '0000000000000000000000000000000000000000'
 GIT_PUSH_OPTION_COUNT_ENV_VAR_NAME = 'GIT_PUSH_OPTION_COUNT'
 GIT_PUSH_OPTION_ENV_VAR_PREFIX = 'GIT_PUSH_OPTION_'

{cycode-3.4.1.dev5 → cycode-3.4.2.dev1}/cycode/cli/files_collector/commit_range_documents.py

@@ -22,6 +22,31 @@ if TYPE_CHECKING:
 logger = get_logger('Commit Range Collector')
 
 
+def get_safe_head_reference_for_diff(repo: 'Repo') -> str:
+    """Get a safe reference to use for diffing against the current HEAD.
+    In repositories with no commits, HEAD doesn't exist, so we return the empty tree hash.
+
+    Args:
+        repo: Git repository object
+
+    Returns:
+        Either "HEAD" string if commits exist, or empty tree hash if no commits exist
+    """
+    try:
+        repo.rev_parse(consts.GIT_HEAD_COMMIT_REV)
+        return consts.GIT_HEAD_COMMIT_REV
+    except Exception as e:  # actually gitdb.exc.BadObject; no import because of lazy loading
+        logger.debug(
+            'Repository has no commits, using empty tree hash for diffs, %s',
+            {'repo_path': repo.working_tree_dir},
+            exc_info=e,
+        )
+
+        # Repository has no commits, use the universal empty tree hash
+        # This is the standard Git approach for initial commits
+        return consts.GIT_EMPTY_TREE_OBJECT
+
+
 def _does_reach_to_max_commits_to_scan_limit(commit_ids: list[str], max_commits_count: Optional[int]) -> bool:
     if max_commits_count is None:
         return False
@@ -62,7 +87,7 @@ def collect_commit_range_diff_documents(
         for diff in diff_index:
             commit_documents_to_scan.append(
                 Document(
-                    path=get_path_by_os(get_diff_file_path(diff)),
+                    path=get_path_by_os(get_diff_file_path(diff, repo=repo)),
                     content=get_diff_file_content(diff),
                     is_git_diff_format=True,
                     unique_id=commit_id,
@@ -141,7 +166,7 @@ def get_commit_range_modified_documents(
     for diff in modified_files_diff:
         progress_bar.update(progress_bar_section)
 
-        file_path = get_path_by_os(get_diff_file_path(diff))
+        file_path = get_path_by_os(get_diff_file_path(diff, repo=repo))
 
         diff_documents.append(
             Document(
@@ -186,16 +211,24 @@ def parse_pre_receive_input() -> str:
     return pre_receive_input.splitlines()[0]
 
 
-def get_diff_file_path(diff: 'Diff', relative: bool = False) -> Optional[str]:
+def get_diff_file_path(diff: 'Diff', relative: bool = False, repo: Optional['Repo'] = None) -> Optional[str]:
     if relative:
         # relative to the repository root
         return diff.b_path if diff.b_path else diff.a_path
 
+    # Try blob-based paths first (most reliable when available)
     if diff.b_blob:
         return diff.b_blob.abspath
     if diff.a_blob:
         return diff.a_blob.abspath
 
+    # Fallback: construct an absolute path from a relative path
+    # This handles renames and other cases where blobs might be None
+    if repo and repo.working_tree_dir:
+        target_path = diff.b_path if diff.b_path else diff.a_path
+        if target_path:
+            return os.path.abspath(os.path.join(repo.working_tree_dir, target_path))
+
     return None
 
 
@@ -213,12 +246,13 @@ def get_pre_commit_modified_documents(
     diff_documents = []
 
     repo = git_proxy.get_repo(repo_path)
-    diff_index = repo.index.diff(consts.GIT_HEAD_COMMIT_REV, create_patch=True, R=True)
+    head_reference = get_safe_head_reference_for_diff(repo)
+    diff_index = repo.index.diff(head_reference, create_patch=True, R=True)
     progress_bar.set_section_length(progress_bar_section, len(diff_index))
     for diff in diff_index:
         progress_bar.update(progress_bar_section)
 
-        file_path = get_path_by_os(get_diff_file_path(diff))
+        file_path = get_path_by_os(get_diff_file_path(diff, repo=repo))
 
         diff_documents.append(
             Document(
@@ -228,9 +262,11 @@ def get_pre_commit_modified_documents(
             )
         )
 
-        file_content = _get_file_content_from_commit_diff(repo, consts.GIT_HEAD_COMMIT_REV, diff)
-        if file_content:
-            git_head_documents.append(Document(file_path, file_content))
+        # Only get file content from HEAD if HEAD exists (not the empty tree hash)
+        if head_reference == consts.GIT_HEAD_COMMIT_REV:
+            file_content = _get_file_content_from_commit_diff(repo, head_reference, diff)
+            if file_content:
+                git_head_documents.append(Document(file_path, file_content))
 
         if os.path.exists(file_path):
             file_content = get_file_content(file_path)
@@ -274,13 +310,13 @@ def parse_commit_range_sast(commit_range: str, path: str) -> tuple[Optional[str]
     else:
         # Git commands like 'git diff <commit>' compare against HEAD.
         from_spec = commit_range
-        to_spec = 'HEAD'
+        to_spec = consts.GIT_HEAD_COMMIT_REV
 
     # If a spec is empty (e.g., from '..master'), default it to 'HEAD'
     if not from_spec:
-        from_spec = 'HEAD'
+        from_spec = consts.GIT_HEAD_COMMIT_REV
     if not to_spec:
-        to_spec = 'HEAD'
+        to_spec = consts.GIT_HEAD_COMMIT_REV
 
     try:
         # Use rev_parse to resolve each specifier to its full commit SHA

{cycode-3.4.1.dev5 → cycode-3.4.2.dev1}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "cycode"
-version = "3.4.1.dev5" # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag
+version = "3.4.2.dev1" # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag
 description = "Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning."
 keywords=["secret-scan", "cycode", "devops", "token", "secret", "security", "cycode", "code"]
 authors = ["Cycode <support@cycode.com>"]

cycode-3.4.1.dev5/cycode/__init__.py

@@ -1 +0,0 @@
-__version__ = '3.4.1.dev5'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag