gitleaks-action icon indicating copy to clipboard operation
gitleaks-action copied to clipboard
verified publisher icon gitleaks

Value of argument "first-parent" causing error [fatal: ambiguous argument]

Open t217145 opened this issue 4 months ago • 1 comments

When execute gitleaks in GitHub Actions pipeline triggered by Pull Request in main / master branch, there will be an argument "first-parent" with a long hash / string.

gitleaks detect --redact -v --exit-code=2 --report-format=sarif --report-path=results.sarif --log-level=debug --log-opts=--no-merges --first-parent 285152a60a0fc48c328c090a59e73dee6732386c^..e03be20820e328exxxxxxxxf2cbfc

This argument does not exist when push to non master / main branch, or just push code to any branch. It only exists when merge to main / master. But it will fail with following reason

ERR [git] fatal: ambiguous argument '285152a60a0fc48c328c090a59e73dee6732386c^..e03be20820e328exxxxxxxxf2cbfc': unknown revision or path not in the working tree.

May I ask how this can be resolved.

Thank you.

Here are the log:

`Sent 2682970 of 2682970 (100.0%), 22.2 MBs/sec event type: pull_request gitleaks cmd: gitleaks detect --redact -v --exit-code=2 --report-format=sarif --report-path=results.sarif --log-level=debug --log-opts=--no-merges --first-parent 285152a60a0fc48c328c090a59e73dee6732386c^..e03be20820e328exxxxxxxxf2cbfc /tmp/gitleaks-8.16.1/gitleaks detect --redact -v --exit-code=2 --report-format=sarif --report-path=results.sarif --log-level=debug --log-opts=--no-merges --first-parent 285152a60a0fc48c328c090a59e73dee6732386c^..e03be20820e328exxxxxxxxf2cbfc

○
│╲
│ ○
○ ░
░    gitleaks

6:51AM DBG using gitleaks config from GITLEAKS_CONFIG env var: ./gitleaks.toml 6:51AM DBG executing: /usr/bin/git -C . log -p -U0 --no-merges --first-parent 285152a60a0fc48c328c090a59e73dee6732386c^..e03be20820e328exxxxxxxxf2cbfc 6:51AM ERR [git] fatal: ambiguous argument '285152a60a0fc48c328c090a59e73dee6732386c^..e03be20820e328exxxxxxxxf2cbfc': unknown revision or path not in the working tree. 6:51AM ERR [git] Use '--' to separate paths from revisions, like this: 6:51AM ERR [git] 'git [...] -- [...]' 6:51AM INF 0 commits scanned. 6:51AM DBG Note: this number might be smaller than expected due to commits with no additions 6:51AM ERR error="git error encountered, see logs" 6:51AM WRN partial scan completed in 63.9ms 6:51AM WRN no leaks found in partial scan`

t217145 avatar Oct 21 '25 06:10 t217145

I see the exact same thing

gemal avatar Oct 24 '25 08:10 gemal

Remember to add option fetch-depth: 0 in actions/checkout. See example

khaitranhq avatar Nov 16 '25 08:11 khaitranhq

adding fetch-depth: 0 increased my runtime of that action from 30 seconds to 11 minutes :(

gemal avatar Nov 17 '25 14:11 gemal