Skip to content

feat(source/gitlab): support glob patterns in repositories field #4581

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
amanfcp wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat(source/gitlab): support glob patterns in repositories field #4581

amanfcp wants to merge 3 commits into from
+448 −70

Conversation

@amanfcp
Copy link
Contributor

@amanfcp amanfcp commented Dec 4, 2025
edited
Loading

Description:

Add support for glob patterns in the repositories field, allowing flexible repository matching alongside explicit URLs. Refactors repository resolution logic into resolveRepositories() to eliminate duplication between Chunks() and Enumerate(), improving maintainability and consistency.

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

@amanfcp amanfcp requested a review from a team December 4, 2025 08:15
@amanfcp amanfcp requested a review from a team as a code owner December 4, 2025 08:15
mustansir14
mustansir14 reviewed Dec 8, 2025
View reviewed changes
pkg/sources/gitlab/gitlab.go
Comment on lines +1031 to +1038
// resolveRepositories determines which repositories to scan based on s.repos configuration.
// It handles three cases:
// 1. Glob patterns (e.g., "org/*"): enumerates all projects and filters using patterns
// 2. Explicit URLs: normalizes and reports directly without enumeration
// 3. Empty: enumerates all projects using includeRepos/ignoreRepos filters
//
// All discovered repositories are reported via reporter.UnitOk().
func (s *Source) resolveRepositories(
Copy link
Contributor

@mustansir14 mustansir14 Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at the implementation for includeRepos, it looks pretty straightforward where we directly pass in the s.includeRepos slice to buildIgnorer. Why can't we do the same with repos? Why do we need to handle all these cases separately? Is there any context I'm missing here?

Copy link
Contributor Author

@amanfcp amanfcp Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question! Here's what I've understood since working on this:

includeRepos:

  • Always a filter on enumerated projects
  • Assumes you're scanning "everything with filters"
  • Always calls listProjects() then filters results

repos:

  • Can be explicit URLs OR glob patterns
  • Supports 3 distinct modes:
    a. Explicit URLs only - Use directly, no enumeration needed
    b. Glob patterns - Enumerate projects and filter
    c. Mixed - Enumerate for globs, use explicit URLs directly

kashifkhan0771
kashifkhan0771 reviewed Dec 11, 2025
View reviewed changes
Copy link
Contributor

@kashifkhan0771 kashifkhan0771 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One recommendation is to keep the GitLab source behavior consistent with GitHub. Users should not be allowed to use --repo together with --org. The --include-repo flag should only be valid when used with --org or --group-id (GitLab only), as its description states: "Repositories to include in an org scan."

Ideally, this is the best approach because glob patterns should only apply to repositories within an organization or group. The user specifies an org or group and then defines which repositories matching the glob pattern should be scanned. This keeps GitLab consistent with the GitHub source and simplifies the implementation.

@kashifkhan0771
Copy link
Contributor

kashifkhan0771 commented Dec 11, 2025

One recommendation is to keep the GitLab source behavior consistent with GitHub. Users should not be allowed to use --repo together with --org. The --include-repo flag should only be valid when used with --org or --group-id (GitLab only), as its description states: "Repositories to include in an org scan."

Ideally, this is the best approach because glob patterns should only apply to repositories within an organization or group. The user specifies an org or group and then defines which repositories matching the glob pattern should be scanned. This keeps GitLab consistent with the GitHub source and simplifies the implementation.

After this the flow will be like:

  • List all repositories inside org or group
  • Run all through the glob patterns provided in --include-repos if any
  • Make a new list of repositories which by pass the filters
  • Pass those to scan.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mustansir14 mustansir14 mustansir14 left review comments

@kashifkhan0771 kashifkhan0771 kashifkhan0771 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@amanfcp @kashifkhan0771 @mustansir14