Fix shallow file scans when merge base objects are missing

[lawrence3699]

Description:

Fixes #4895.

When trufflehog git file://... --since-commit <base> --branch <head> runs against a shallow local clone, normalizeConfig can fail while resolving the merge base because the common ancestor object is not present locally.

In that case, Git can still enumerate the head-side commits to scan, so this change keeps the resolved base ref instead of aborting the scan when MergeBase returns plumbing.ErrObjectNotFound.

The new regression test covers the shallow file:// path end to end and asserts that the scan still reports the feature-side change without pulling in the main-only commit.

Checklist:

• Tests passing (go test ./pkg/sources/git -run TestScanRepo_ShallowLocalCloneWithBranchBaseRef -count=1, go test ./pkg/sources/git -run 'Test(GitConfigSanitization|ScanRepo_ShallowLocalCloneWithBranchBaseRef|GitConfigSanitizationWithBareRepo|GitConfigSecurityIsolation|GitConfigSanitizationWithStagedChanges|PrepareRepoErrorPaths|NormalizeFileURI|PrepareRepoWithNormalization|PrepareRepoWithNormalizationBare)$' -count=1, go test ./pkg/sources/git -run 'TestSource_Chunks_Integration/remote repo, main ahead of branch' -count=1)
• Lint passing (./scripts/lint.sh)

---

Note

Medium Risk
Changes commit-range normalization for --since-commit scans: shallow clones that can’t load merge-base objects will now continue with the resolved base ref, which could subtly affect which commits are included/excluded. Covered by a new end-to-end regression test for shallow file:// clones.

Overview
Fixes shallow local file:// scans where normalizeConfig previously aborted if MergeBase failed with plumbing.ErrObjectNotFound; it now treats this as non-fatal and proceeds using the resolved base ref.

Adds TestScanRepo_ShallowLocalCloneWithBranchBaseRef to reproduce the CI-style shallow clone scenario and assert the scan still reports feature-branch content without pulling in main-only commits.

^{Reviewed by Cursor Bugbot for commit 5c91e5a. Bugbot is set up for automated code reviews on this repo. Configure here.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Copilot]

Pull request overview

Fixes failures when scanning shallow local file:// git clones with --since-commit <base> --branch <head> by not aborting when the merge-base object is missing locally (but commit enumeration from head is still possible).

Changes:

• Treat plumbing.ErrObjectNotFound from MergeBase during normalizeConfig as non-fatal and continue with the resolved base ref/hash.
• Add an end-to-end regression test that builds a shallow local clone scenario and asserts scanning finds feature-branch content without pulling in main-only content.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
pkg/sources/git/git.go	Continue scanning when merge-base resolution fails due to missing objects in shallow clones.
pkg/sources/git/git_test.go	Add regression coverage for shallow local file:// clone scanning with base/head branch refs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[svenXY]

is there maybe already a docker image of this branch that I could use to test?

[MuneebUllahKhan222]

Hi @lawrence3699,
Thank-you for the contribution.
Can you please resolve the comments pointed out by copilot in the meanwhile, I will discuss more regarding this issue with the rest of the truffle team.