improve default branch detection

Author: MarshalX

README.md

@@ -888,6 +888,22 @@ The pre-push hook:
 - For existing branches: scans only the new commits since the last push
 - Runs the same comprehensive scanning as other Cycode scan modes
 
+#### Smart Default Branch Detection
+
+The pre-push hook intelligently detects the default branch for merge base calculation using this priority order:
+
+1. **Environment Variable**: `CYCODE_DEFAULT_BRANCH` - allows manual override
+2. **Git Remote HEAD**: Uses `git symbolic-ref refs/remotes/origin/HEAD` to detect the actual remote default branch
+3. **Git Remote Info**: Falls back to `git remote show origin` if symbolic-ref fails
+4. **Hardcoded Fallbacks**: Uses common default branch names (origin/main, origin/master, main, master)
+
+**Setting a Custom Default Branch:**
+```bash
+export CYCODE_DEFAULT_BRANCH=origin/develop
+```
+
+This smart detection ensures the pre-push hook works correctly regardless of whether your repository uses `main`, `master`, `develop`, or any other default branch name.
+
 #### Skipping Pre-Push Scans
 
 To skip the pre-push scan for a specific push operation, use:

cycode/cli/consts.py

@@ -245,6 +245,7 @@
 DEFAULT_PRE_PUSH_MAX_COMMITS_TO_SCAN_COUNT = 50
 PRE_PUSH_COMMAND_TIMEOUT_ENV_VAR_NAME = 'PRE_PUSH_COMMAND_TIMEOUT'
 DEFAULT_PRE_PUSH_COMMAND_TIMEOUT_IN_SECONDS = 60
+CYCODE_DEFAULT_BRANCH_ENV_VAR_NAME = 'CYCODE_DEFAULT_BRANCH'
 # pre push and pre receive common
 PRE_RECEIVE_AND_PUSH_REMEDIATION_MESSAGE = """
 Cycode Secrets Push Protection

cycode/cli/files_collector/commit_range_documents.py

@@ -232,6 +232,62 @@ def parse_pre_push_input() -> str:
     return pre_push_input.splitlines()[0]
 
 
+def _get_default_branches_for_merge_base(repo: 'Repo') -> list[str]:
+    """Get a list of default branches to try for merge base calculation.
+
+    Priority order:
+    1. Environment variable CYCODE_DEFAULT_BRANCH
+    2. Git remote HEAD (git symbolic-ref refs/remotes/origin/HEAD)
+    3. Fallback to common default branch names
+
+    Args:
+        repo: Git repository object
+
+    Returns:
+        List of branch names to try for merge base calculation
+    """
+    default_branches = []
+
+    # 1. Check environment variable first
+    env_default_branch = os.getenv(consts.CYCODE_DEFAULT_BRANCH_ENV_VAR_NAME)
+    if env_default_branch:
+        logger.debug('Using default branch from environment variable: %s', env_default_branch)
+        default_branches.append(env_default_branch)
+
+    # 2. Try to get the actual default branch from remote HEAD
+    try:
+        remote_head = repo.git.symbolic_ref('refs/remotes/origin/HEAD')
+        # symbolic-ref returns something like "refs/remotes/origin/main"
+        if remote_head.startswith('refs/remotes/origin/'):
+            default_branch = remote_head.replace('refs/remotes/origin/', '')
+            logger.debug('Found remote default branch: %s', default_branch)
+            # Add both the remote tracking branch and local branch variants
+            default_branches.extend([f'origin/{default_branch}', default_branch])
+    except Exception as e:
+        logger.debug('Failed to get remote HEAD via symbolic-ref: %s', exc_info=e)
+
+        # Try an alternative method: git remote show origin
+        try:
+            remote_info = repo.git.remote('show', 'origin')
+            for line in remote_info.splitlines():
+                if 'HEAD branch:' in line:
+                    default_branch = line.split('HEAD branch:')[1].strip()
+                    logger.debug('Found default branch via remote show: %s', default_branch)
+                    default_branches.extend([f'origin/{default_branch}', default_branch])
+                    break
+        except Exception as e2:
+            logger.debug('Failed to get remote info via remote show: %s', exc_info=e2)
+
+    # 3. Add fallback branches (avoiding duplicates)
+    fallback_branches = ['origin/main', 'origin/master', 'main', 'master']
+    for branch in fallback_branches:
+        if branch not in default_branches:
+            default_branches.append(branch)
+
+    logger.debug('Default branches to try: %s', default_branches)
+    return default_branches
+
+
 def calculate_pre_push_commit_range(push_update_details: str) -> Optional[str]:
     """Calculate the commit range for pre-push hook scanning.
 
@@ -240,18 +296,22 @@ def calculate_pre_push_commit_range(push_update_details: str) -> Optional[str]:
 
     Returns:
         Commit range string for scanning, or None if no scanning is needed
+
+    Environment Variables:
+        CYCODE_DEFAULT_BRANCH: Override the default branch for merge base calculation
     """
     local_ref, local_object_name, remote_ref, remote_object_name = push_update_details.split()
 
     if remote_object_name == consts.EMPTY_COMMIT_SHA:
         try:
             repo = git_proxy.get_repo(os.getcwd())
-            default_branches = ['origin/main', 'origin/master', 'main', 'master']
+            default_branches = _get_default_branches_for_merge_base(repo)
 
             merge_base = None
             for default_branch in default_branches:
                 try:
                     merge_base = repo.git.merge_base(local_object_name, default_branch)
+                    logger.debug('Found merge base %s with branch %s', merge_base, default_branch)
                     break
                 except Exception as e:
                     logger.debug('Failed to find merge base with %s: %s', default_branch, exc_info=e)

tests/cli/files_collector/test_commit_range_documents.py

@@ -10,6 +10,7 @@
 
 from cycode.cli import consts
 from cycode.cli.files_collector.commit_range_documents import (
+    _get_default_branches_for_merge_base,
     calculate_pre_push_commit_range,
     get_diff_file_path,
     get_safe_head_reference_for_diff,
@@ -390,6 +391,114 @@ def test_parse_whitespace_only_input_raises_error(self) -> None:
             parse_pre_push_input()
 
 
+class TestGetDefaultBranchesForMergeBase:
+    """Test the _get_default_branches_for_merge_base function with various scenarios."""
+
+    def test_environment_variable_override(self) -> None:
+        """Test that the environment variable takes precedence."""
+        with (
+            temporary_git_repository() as (temp_dir, repo),
+            patch.dict(os.environ, {consts.CYCODE_DEFAULT_BRANCH_ENV_VAR_NAME: 'custom-main'}),
+        ):
+            branches = _get_default_branches_for_merge_base(repo)
+            assert branches[0] == 'custom-main'
+            assert 'origin/main' in branches  # Fallbacks should still be included
+
+    def test_git_symbolic_ref_success(self) -> None:
+        """Test getting default branch via git symbolic-ref."""
+        with temporary_git_repository() as (temp_dir, repo):
+            # Create a mock repo with a git interface that returns origin/main
+            mock_repo = Mock()
+            mock_repo.git.symbolic_ref.return_value = 'refs/remotes/origin/main'
+
+            branches = _get_default_branches_for_merge_base(mock_repo)
+            assert 'origin/main' in branches
+            assert 'main' in branches
+
+    def test_git_symbolic_ref_with_master(self) -> None:
+        """Test getting default branch via git symbolic-ref when it's master."""
+        with temporary_git_repository() as (temp_dir, repo):
+            # Create a mock repo with a git interface that returns origin/master
+            mock_repo = Mock()
+            mock_repo.git.symbolic_ref.return_value = 'refs/remotes/origin/master'
+
+            branches = _get_default_branches_for_merge_base(mock_repo)
+            assert 'origin/master' in branches
+            assert 'master' in branches
+
+    def test_git_remote_show_fallback(self) -> None:
+        """Test fallback to git remote show when symbolic-ref fails."""
+        with temporary_git_repository() as (temp_dir, repo):
+            # Create a mock repo where symbolic-ref fails but the remote show succeeds
+            mock_repo = Mock()
+            mock_repo.git.symbolic_ref.side_effect = Exception('symbolic-ref failed')
+            remote_output = """* remote origin
+  Fetch URL: https://github.com/user/repo.git
+  Push  URL: https://github.com/user/repo.git
+  HEAD branch: develop
+  Remote branches:
+    develop tracked
+    main    tracked"""
+            mock_repo.git.remote.return_value = remote_output
+
+            branches = _get_default_branches_for_merge_base(mock_repo)
+            assert 'origin/develop' in branches
+            assert 'develop' in branches
+
+    def test_both_git_methods_fail_fallback_to_hardcoded(self) -> None:
+        """Test fallback to hardcoded branches when both Git methods fail."""
+        with temporary_git_repository() as (temp_dir, repo):
+            # Create a mock repo where both Git methods fail
+            mock_repo = Mock()
+            mock_repo.git.symbolic_ref.side_effect = Exception('symbolic-ref failed')
+            mock_repo.git.remote.side_effect = Exception('remote show failed')
+
+            branches = _get_default_branches_for_merge_base(mock_repo)
+            # Should contain fallback branches
+            assert 'origin/main' in branches
+            assert 'origin/master' in branches
+            assert 'main' in branches
+            assert 'master' in branches
+
+    def test_no_duplicates_in_branch_list(self) -> None:
+        """Test that duplicate branches are not added to the list."""
+        with temporary_git_repository() as (temp_dir, repo):
+            # Create a mock repo that returns main (which is also in fallback list)
+            mock_repo = Mock()
+            mock_repo.git.symbolic_ref.return_value = 'refs/remotes/origin/main'
+
+            branches = _get_default_branches_for_merge_base(mock_repo)
+            # Count occurrences of origin/main - should be exactly 1
+            assert branches.count('origin/main') == 1
+            assert branches.count('main') == 1
+
+    def test_env_var_plus_git_detection(self) -> None:
+        """Test combination of environment variable and git detection."""
+        with temporary_git_repository() as (temp_dir, repo):
+            mock_repo = Mock()
+            mock_repo.git.symbolic_ref.return_value = 'refs/remotes/origin/develop'
+
+            with patch.dict(os.environ, {consts.CYCODE_DEFAULT_BRANCH_ENV_VAR_NAME: 'origin/custom'}):
+                branches = _get_default_branches_for_merge_base(mock_repo)
+                # Env var should be first
+                assert branches[0] == 'origin/custom'
+                # Git detected branches should also be present
+                assert 'origin/develop' in branches
+                assert 'develop' in branches
+
+    def test_malformed_symbolic_ref_response(self) -> None:
+        """Test handling of malformed symbolic-ref response."""
+        with temporary_git_repository() as (temp_dir, repo):
+            # Create a mock repo that returns a malformed response
+            mock_repo = Mock()
+            mock_repo.git.symbolic_ref.return_value = 'malformed-response'
+
+            branches = _get_default_branches_for_merge_base(mock_repo)
+            # Should fall back to hardcoded branches
+            assert 'origin/main' in branches
+            assert 'origin/master' in branches
+
+
 class TestCalculatePrePushCommitRange:
     """Test the calculate_pre_push_commit_range function with various Git repository scenarios."""
 
@@ -501,6 +610,91 @@ def test_calculate_range_with_origin_main_as_merge_base(self) -> None:
                 result = calculate_pre_push_commit_range(push_details)
                 assert result == f'{main_commit.hexsha}..{feature_commit.hexsha}'
 
+    def test_calculate_range_with_environment_variable_override(self) -> None:
+        """Test that environment variable override works for commit range calculation."""
+        with temporary_git_repository() as (temp_dir, repo):
+            # Create custom default branch
+            custom_file = os.path.join(temp_dir, 'custom.py')
+            with open(custom_file, 'w') as f:
+                f.write("print('custom')")
+
+            repo.index.add(['custom.py'])
+            custom_commit = repo.index.commit('Custom branch commit')
+
+            # Create a custom branch
+            repo.create_head('custom-main', custom_commit)
+
+            # Create a feature branch from custom
+            feature_branch = repo.create_head('feature', custom_commit)
+            feature_branch.checkout()
+
+            # Add feature commits
+            feature_file = os.path.join(temp_dir, 'feature.py')
+            with open(feature_file, 'w') as f:
+                f.write("print('feature')")
+
+            repo.index.add(['feature.py'])
+            feature_commit = repo.index.commit('Feature commit')
+
+            # Test new branch push with custom default branch
+            push_details = f'refs/heads/feature {feature_commit.hexsha} refs/heads/feature {consts.EMPTY_COMMIT_SHA}'
+
+            with (
+                patch('os.getcwd', return_value=temp_dir),
+                patch.dict(os.environ, {consts.CYCODE_DEFAULT_BRANCH_ENV_VAR_NAME: 'custom-main'}),
+            ):
+                result = calculate_pre_push_commit_range(push_details)
+                assert result == f'{custom_commit.hexsha}..{feature_commit.hexsha}'
+
+    def test_calculate_range_with_git_symbolic_ref_detection(self) -> None:
+        """Test commit range calculation with Git symbolic-ref detection."""
+        with temporary_git_repository() as (temp_dir, repo):
+            # Create develop branch and commits
+            develop_file = os.path.join(temp_dir, 'develop.py')
+            with open(develop_file, 'w') as f:
+                f.write("print('develop')")
+
+            repo.index.add(['develop.py'])
+            develop_commit = repo.index.commit('Develop commit')
+
+            # Create origin/develop reference
+            repo.create_head('origin/develop', develop_commit)
+            repo.create_head('develop', develop_commit)
+
+            # Create a feature branch
+            feature_branch = repo.create_head('feature', develop_commit)
+            feature_branch.checkout()
+
+            # Add feature commits
+            feature_file = os.path.join(temp_dir, 'feature.py')
+            with open(feature_file, 'w') as f:
+                f.write("print('feature')")
+
+            repo.index.add(['feature.py'])
+            feature_commit = repo.index.commit('Feature commit')
+
+            # Test a new branch push with mocked default branch detection
+            push_details = f'refs/heads/feature {feature_commit.hexsha} refs/heads/feature {consts.EMPTY_COMMIT_SHA}'
+
+            # # Mock the default branch detection to return origin/develop first
+            with (
+                patch('os.getcwd', return_value=temp_dir),
+                patch(
+                    'cycode.cli.files_collector.commit_range_documents._get_default_branches_for_merge_base'
+                ) as mock_get_branches,
+            ):
+                mock_get_branches.return_value = [
+                    'origin/develop',
+                    'develop',
+                    'origin/main',
+                    'main',
+                    'origin/master',
+                    'master',
+                ]
+                with patch('cycode.cli.files_collector.commit_range_documents.git_proxy.get_repo', return_value=repo):
+                    result = calculate_pre_push_commit_range(push_details)
+                    assert result == f'{develop_commit.hexsha}..{feature_commit.hexsha}'
+
     def test_calculate_range_with_origin_master_as_merge_base(self) -> None:
         """Test calculating commit range using origin/master as a merge base."""
         with temporary_git_repository() as (temp_dir, repo):