[INS-397] Fix git version parser panic on non-numeric patch versions

[shahzadhaider1]

Fixes #4801

The bug

CmdCheck panicked with index out of range [1] with length 1 when running against a git binary built from source, because the version output uses a non-numeric patch component:

git version 2.52.gaea8cc3

The regex \d+\.\d+\.\d+ failed to match, FindString returned an empty string, and strings.Split("", ".") produced a single-element slice, which then panicked on versionParts[1].

The fix

Only the major and minor components are actually used for the version check, so the regex now captures just those: (\d+)\.(\d+). Parsing is wrapped in a parseGitVersion helper that returns an explicit error when the version can't be found, instead of relying on positional slice access.

Covered by unit tests: standard semver, non-numeric patch (2.52.gaea8cc3), Apple Git suffix, Windows Git suffix, missing patch, and malformed input.

Why a new pkg/gitcmd package

While fixing this I noticed the same gitCmdCheck logic was duplicated in pkg/detectors/azureapimanagement/repositorykey/repositorykey.go with the identical bug, and had already started to drift (different regex library). Rather than patch both copies, I extracted the helper into a new top-level pkg/gitcmd package exposing a single CheckVersion() function.

A few reasons this lives at the top level rather than under pkg/sources/git or pkg/common:

• Layering. Detectors shouldn't depend on pkg/sources/.... A neutral top-level package avoids that coupling entirely.
• Dependency weight. Importing pkg/sources/git directly from the detector would have pulled in roughly 870 transitive internal packages for a ~20-line version check (the detector went from 12 internal deps to 13 with gitcmd; importing pkg/sources/git would have taken it to 882).
• Consistency. It sits next to the existing pkg/gitparse and pkg/giturl "git helpers" packages. Trufflehog already has single-purpose packages at comparable or smaller size (pkg/version, pkg/feature, pkg/sanitizer).

Changes

• Added pkg/gitcmd/gitcmd.go with CheckVersion() and a parseGitVersion helper.
• Added pkg/gitcmd/gitcmd_test.go covering the version-parsing cases above.
• Removed the duplicated gitCmdCheck (and its now-unused imports) from the azureapimanagement detector.
• Deleted the original pkg/sources/git/cmd_check.go.
• Updated all call sites to use gitcmd.CheckVersion():
  • pkg/sources/git/git.go (two sites)
  • pkg/sources/gitlab/gitlab.go
  • pkg/sources/github/github.go
  • pkg/sources/github_experimental/github_experimental.go
  • pkg/sources/huggingface/huggingface.go
  • pkg/detectors/azureapimanagement/repositorykey/repositorykey.go

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

---

Note

Low Risk
Low risk: behavior is mostly a refactor plus more robust parsing/error handling for git --version, with minimal surface-area change beyond early validation failures.

Overview
Fixes a panic in git version validation by replacing the strict x.y.z parser with a major/minor parser that gracefully handles outputs like 2.52.gaea8cc3 and returns a clear error when parsing fails.

Extracts the duplicated git binary/version validation into a new pkg/gitcmd CheckVersion() helper (with unit tests) and updates all previous CmdCheck/gitCmdCheck call sites across sources and the Azure APIM detector to use it, deleting the old implementations.

^{Reviewed by Cursor Bugbot for commit f467908. Bugbot is set up for automated code reviews on this repo. Configure here.}