Titus not searching old git commits

[caelin-kail]

Hi team,

I ran titus scan --git --include-hidden --git --extract all and noticed that an AWS credential that was stored in a previous commit was not included in the titus report.

I ran noseyparker scan against the same cloned repo and was able to see the exposed AWS credential.

Am I missing a flag or is there a change in the detection logic?

[caelin-kail]

The --git flag only scans the current working tree, not the full git history. The underlying functionality exists but isn't exposed through the CLI.

Evidence:

cmd/titus/scan.go (Line 48):
scanCmd.Flags().BoolVar(&scanGit, "git", false, "Treat target as git repository (enumerate git history)")

The flag description claims it enumerates git history, but it doesn't actually do this.

cmd/titus/scan.go (Lines 481-482):
if useGit {
return enum.NewGitEnumerator(config), nil // WalkAll defaults to false
}

Creates GitEnumerator without enabling history scanning - WalkAll defaults to false.

pkg/enum/git.go shows the capability exists:

Lines 19-20:
// WalkAll when true walks all commits from all refs instead of single commit
WalkAll bool

Lines 33-36:
if e.WalkAll {
return e.enumerateAllHistory(ctx, callback)
}
return e.enumerateSingleCommit(ctx, callback)

Lines 131-228 contain a complete enumerateAllHistory() implementation with proper deduplication.

The test suite proves this works - pkg/enum/git_test.go:388-484:

Line 466: enumerator.WalkAll = true enables full history
Lines 481-483: Successfully finds 3 unique blobs including deleted files across multiple commits
Fix Required:

Add these flags to cmd/titus/scan.go:

// Around line 48
scanGitAllHistory bool
scanGitRef string

// Around line 77
scanCmd.Flags().BoolVar(&scanGitAllHistory, "git-all-history", false, "Scan all commits from all refs (requires --git)")
scanCmd.Flags().StringVar(&scanGitRef, "git-ref", "HEAD", "Specific git ref to scan (requires --git)")

// Around line 481
if useGit {
gitEnum := enum.NewGitEnumerator(config)
gitEnum.WalkAll = gitAllHistory
gitEnum.CommitRef = gitRef
return gitEnum, nil
}

[michaelweber]

Yup, this was a bug. There's a PR in to fix it now, the next release will have it. Fixed in #81.