Jeff,
Got it. There is no need to do a rebase. As I mentioned, the scanner relies on git to identify changed code compared to the target branch.
It first tries to find the merge base commit, which is the common parent between the branch and ‘mainline’. The same operation as doing git merge-base HEAD mainline.
With the debug logs enabled, it should print the commit that was found. For example:
Computing New Code since fork with ‘master’
[…]
Merge base sha1: 111ef31292d24acdfdb5b18c4af6ec83279d5629
Could you check if the commit found is correct by comparing with what is in Bitbucket UI?
There has been many problems cause by local references to branches in git clones being incorrect or out of date, leading to wrong diff being found by the scanner.
Are you using a CI service to run the scanner? In any case, make sure all references are up to date. Most CIs will perform a fresh clone but if that’s not the case for you, do git fetch --all before running the scanner.