[INS-397] Fix git version parser panic on non-numeric patch versions

[shahzadhaider1]

Fixes #4801

The bug

CmdCheck panicked with index out of range [1] with length 1 when running against a git binary built from source, because the version output uses a non-numeric patch component:

git version 2.52.gaea8cc3

The regex \d+\.\d+\.\d+ failed to match, FindString returned an empty string, and strings.Split("", ".") produced a single-element slice, which then panicked on versionParts[1].

The fix

Only the major and minor components are actually used for the version check, so the regex now captures just those: (\d+)\.(\d+). Parsing is wrapped in a parseGitVersion helper that returns an explicit error when the version can't be found, instead of relying on positional slice access.

Covered by unit tests: standard semver, non-numeric patch (2.52.gaea8cc3), Apple Git suffix, Windows Git suffix, missing patch, and malformed input.

Why a new pkg/gitcmd package

While fixing this I noticed the same gitCmdCheck logic was duplicated in pkg/detectors/azureapimanagement/repositorykey/repositorykey.go with the identical bug, and had already started to drift (different regex library). Rather than patch both copies, I extracted the helper into a new top-level pkg/gitcmd package exposing a single CheckVersion() function.

A few reasons this lives at the top level rather than under pkg/sources/git or pkg/common:

• Layering. Detectors shouldn't depend on pkg/sources/.... A neutral top-level package avoids that coupling entirely.
• Dependency weight. Importing pkg/sources/git directly from the detector would have pulled in roughly 870 transitive internal packages for a ~20-line version check (the detector went from 12 internal deps to 13 with gitcmd; importing pkg/sources/git would have taken it to 882).
• Consistency. It sits next to the existing pkg/gitparse and pkg/giturl "git helpers" packages. Trufflehog already has single-purpose packages at comparable or smaller size (pkg/version, pkg/feature, pkg/sanitizer).

Changes

• Added pkg/gitcmd/gitcmd.go with CheckVersion() and a parseGitVersion helper.
• Added pkg/gitcmd/gitcmd_test.go covering the version-parsing cases above.
• Removed the duplicated gitCmdCheck (and its now-unused imports) from the azureapimanagement detector.
• Deleted the original pkg/sources/git/cmd_check.go.
• Updated all call sites to use gitcmd.CheckVersion():
  • pkg/sources/git/git.go (two sites)
  • pkg/sources/gitlab/gitlab.go
  • pkg/sources/github/github.go
  • pkg/sources/github_experimental/github_experimental.go
  • pkg/sources/huggingface/huggingface.go
  • pkg/detectors/azureapimanagement/repositorykey/repositorykey.go

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

---

Note

Medium Risk
Touches shared git preflight logic used by multiple sources/detectors; a parsing/compatibility mistake would block scans from starting, but the change is small and covered by targeted unit tests.

Overview
Fixes a crash in git CLI version validation when git --version includes non-numeric patch components (e.g. source-built git), by parsing only major/minor and returning a clean error instead of panicking.

Extracts and centralizes the duplicated git binary/version check into a new pkg/gitcmd package (CheckVersion + tested parseGitVersion), deletes the old pkg/sources/git/CmdCheck and the detector-local copy, and updates all call sites (git, GitHub, GitLab, HuggingFace, APIM detector) to use the shared helper.

^{Reviewed by Cursor Bugbot for commit d50c9aa. Bugbot is set up for automated code reviews on this repo. Configure here.}