I assume that your main branch is master and that the suspicious SHA is in $SHA .
First find the merge commits that are in master , but not in the $SHA history:
$ git log --merges --oneline $SHA..master
Then check each of these commits to determine which one contains $SHA . Suppose this merge commit id is in $MERGE . You can list all the commits that have been merged into master using this commit with git log --oneline $MERGE^..$MERGE .
(This works because $MERGE^ is the [first] parent of $MERGE , that is, a master snapshot before merging, so $MERGE^..$MERGE lists commits in $MERGE , but not in $MERGE^ , i.e. commit to $MERGE , but not to master before merging.)
Then you can grep for your $SHA target:
$ git log --oneline $MERGE^..$MERGE | grep ^$SHA
The first merge that gets any of its results for the last grep is your winner. Once you have determined the commit, you can git show for more information.
$ git show $MERGE
I would be wondering how to do this if anyone knows about this.