fix: prevent 'merge' branch detection from GitHub virtual refs

- Use GITHUB_HEAD_REF for PR events instead of GITHUB_REF (refs/pull/123/merge)
- GITHUB_REF contains virtual merge refs like 'refs/pull/123/merge' for PR events
- GITHUB_HEAD_REF contains the actual source branch name for PRs
- Added detection for virtual merge refs and skip them explicitly
- Added comprehensive tests for both PR and push branch detection scenarios
- Resolves issue with scans showing branch='merge' and virtual commit messages

Author: dachi-dev

socketsecurity/core/git_interface.py

@@ -111,10 +111,21 @@ def __init__(self, path: str):
         gitlab_branch = os.getenv('CI_COMMIT_BRANCH') or os.getenv('CI_MERGE_REQUEST_SOURCE_BRANCH_NAME')
 
         # GitHub Actions variables
-        github_ref = os.getenv('GITHUB_REF')  # e.g., 'refs/heads/main'
+        github_ref = os.getenv('GITHUB_REF')  # e.g., 'refs/heads/main' or 'refs/pull/123/merge'
+        github_head_ref = os.getenv('GITHUB_HEAD_REF')  # PR source branch name
         github_branch = None
-        if github_ref and github_ref.startswith('refs/heads/'):
+        
+        # For PR events, use GITHUB_HEAD_REF (actual branch name), not GITHUB_REF (virtual merge ref)
+        if github_event_name == 'pull_request' and github_head_ref:
+            github_branch = github_head_ref
+            log.debug(f"GitHub PR event - using GITHUB_HEAD_REF: {github_branch}")
+        elif github_ref and github_ref.startswith('refs/heads/'):
             github_branch = github_ref.replace('refs/heads/', '')
+            log.debug(f"GitHub push event - using GITHUB_REF: {github_branch}")
+        elif github_ref and github_ref.startswith('refs/pull/') and github_ref.endswith('/merge'):
+            # Fallback: if we somehow miss the PR detection above, don't use the virtual merge ref
+            log.debug(f"GitHub virtual merge ref detected, skipping: {github_ref}")
+            github_branch = None
 
         # Bitbucket Pipelines variables
         bitbucket_branch = os.getenv('BITBUCKET_BRANCH')

tests/core/test_git_interface.py

@@ -812,3 +812,52 @@ def test_github_push_event_uses_github_sha(self, git_instance, caplog):
                 debug_messages = [record.message for record in caplog.records if record.levelname == "DEBUG"]
                 virtual_commit_logs = [msg for msg in debug_messages if "ignoring GITHUB_SHA (virtual merge commit)" in msg]
                 assert len(virtual_commit_logs) == 0, f"Should not ignore GITHUB_SHA for push events: {debug_messages}"
+
+    def test_github_pr_branch_detection_uses_head_ref(self, git_instance, caplog):
+        """
+        Test that GitHub PR events use GITHUB_HEAD_REF for branch name, not virtual merge ref.
+        
+        GitHub sets GITHUB_REF=refs/pull/123/merge for PR events, but we should use
+        GITHUB_HEAD_REF which contains the actual source branch name.
+        """
+        with caplog.at_level(logging.DEBUG):
+            # Simulate GitHub PR environment with virtual merge ref
+            with patch.dict(os.environ, {
+                'GITHUB_EVENT_NAME': 'pull_request',
+                'GITHUB_REF': 'refs/pull/123/merge',  # Virtual merge ref
+                'GITHUB_HEAD_REF': 'feature-branch',  # Actual branch name
+                'GITHUB_SHA': 'abc123virtual',  # Virtual merge commit (ignored)
+            }, clear=True):
+                # Create new Git instance to trigger branch detection logic
+                git_instance_new = Git(git_instance.path)
+                
+                # Should use GITHUB_HEAD_REF for branch name
+                assert git_instance_new.branch == 'feature-branch'
+                
+                # Should log that GITHUB_HEAD_REF is being used
+                debug_messages = [record.message for record in caplog.records if record.levelname == "DEBUG"]
+                head_ref_logs = [msg for msg in debug_messages if "using GITHUB_HEAD_REF: feature-branch" in msg]
+                assert len(head_ref_logs) >= 1, f"Expected GITHUB_HEAD_REF log, got: {debug_messages}"
+
+    def test_github_push_branch_detection_uses_ref(self, git_instance, caplog):
+        """
+        Test that GitHub push events use GITHUB_REF for branch name.
+        """
+        with caplog.at_level(logging.DEBUG):
+            # Simulate GitHub push environment
+            with patch.dict(os.environ, {
+                'GITHUB_EVENT_NAME': 'push',
+                'GITHUB_REF': 'refs/heads/main',  # Normal branch ref
+                'GITHUB_HEAD_REF': '',  # Not set for push events
+                'GITHUB_SHA': git_instance.commit.hexsha,  # Real commit
+            }, clear=True):
+                # Create new Git instance to trigger branch detection logic
+                git_instance_new = Git(git_instance.path)
+                
+                # Should use GITHUB_REF for branch name
+                assert git_instance_new.branch == 'main'
+                
+                # Should log that GITHUB_REF is being used
+                debug_messages = [record.message for record in caplog.records if record.levelname == "DEBUG"]
+                ref_logs = [msg for msg in debug_messages if "using GITHUB_REF: main" in msg]
+                assert len(ref_logs) >= 1, f"Expected GITHUB_REF log, got: {debug_messages}"