From c4110d27ca7a903b9c5116862421da44af97b339 Mon Sep 17 00:00:00 2001
From: sangnn <sangnn.vng@gmail.com>
Date: Tue, 23 Jun 2026 02:43:01 +0000
Subject: [PATCH] ci: scan range histories

---
 .gitea/workflows/pr-security-check.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/pr-security-check.yml b/.gitea/workflows/pr-security-check.yml
index 1f5353e..bdd44ea 100644
--- a/.gitea/workflows/pr-security-check.yml
+++ b/.gitea/workflows/pr-security-check.yml
@@ -33,7 +33,11 @@ jobs:
           mv gitleaks /usr/local/bin/gitleaks
 
       - name: Run secret scan
-        run: gitleaks detect --source . --exit-code 1 --redact --verbose --log-level debug
+        # Scan only the commits this PR introduces (base..head), not the whole history.
+        run: |
+          gitleaks detect --source . \
+            --log-opts="${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}" \
+            --exit-code 1 --redact --verbose --log-level debug
 
   # ── 2. CVE scan ───────────────────────────────────────────────────────────────
   trivy:
-- 
2.52.0