بنقرة واحدة
sc-diff-report
Incremental security scan for changed files only — optimized for PR and commit-level reviews
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Incremental security scan for changed files only — optimized for PR and commit-level reviews
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
| name | sc-diff-report |
| description | Incremental security scan for changed files only — optimized for PR and commit-level reviews |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Performs a targeted security scan on only the files changed in a git diff, pull request, or recent commit. This enables fast, focused security feedback during code review without the overhead of a full codebase scan. Classifies findings as "new" (introduced by changes) vs "existing" (pre-existing in touched files).
Activates when the user issues any of:
File: security-report/diff-report.md
Determine the diff scope based on user context:
PR Mode (most common):
git diff main...HEAD --name-only
git diff main...HEAD
Staged changes:
git diff --cached --name-only
git diff --cached
Last commit:
git diff HEAD~1 --name-only
git diff HEAD~1
Custom range:
git diff {base}...{head} --name-only
git diff {base}...{head}
From the diff output, build an inventory:
For each changed file, record:
Filter out changes unlikely to have security impact:
.md, .txt, .rst) — skip unless they contain configgenerated markers)If lock files or manifests changed:
package.json / package-lock.json — extract added/removed/updated packagesgo.mod / go.sum — extract module changesCargo.toml / Cargo.lock — extract crate changesrequirements.txt / poetry.lock — extract package changesBased on changed files, activate only relevant skills:
| Changed File Pattern | Skills to Activate |
|---|---|
*.go | sc-lang-go, sc-sqli, sc-cmdi, sc-ssrf, sc-auth, sc-race-condition |
*.ts, *.tsx, *.js, *.jsx | sc-lang-typescript, sc-xss, sc-sqli, sc-secrets, sc-auth |
*.py | sc-lang-python, sc-sqli, sc-cmdi, sc-ssti, sc-deserialization |
*.php | sc-lang-php, sc-sqli, sc-xss, sc-cmdi, sc-deserialization, sc-path-traversal |
*.rs | sc-lang-rust, sc-cmdi, sc-race-condition |
*.java, *.kt | sc-lang-java, sc-sqli, sc-deserialization, sc-xxe, sc-rce |
*.cs | sc-lang-csharp, sc-sqli, sc-deserialization, sc-xxe |
Dockerfile*, docker-compose* | sc-docker |
*.tf, *.tfvars | sc-iac |
.github/workflows/*, .gitlab-ci.yml | sc-ci-cd |
*.graphql, *resolver*, *schema* | sc-graphql |
*.proto | sc-api-security |
.env*, *config*, *secret* | sc-secrets, sc-data-exposure |
*auth*, *login*, *session* | sc-auth, sc-session, sc-jwt |
*upload* | sc-file-upload |
*redirect*, *callback* | sc-open-redirect |
For each activated skill:
For each finding:
New finding (introduced by this change):
Existing finding (pre-existing, found while scanning touched file):
Regression (re-introduced):
Apply a lightweight version of sc-verifier logic:
# Security Diff Report
**Branch:** {branch name}
**Base:** {base branch/commit}
**Date:** {scan date}
**Files Changed:** {N}
**Files Scanned:** {N} (after filtering)
## Summary
| Category | New | Existing | Total |
|----------|-----|----------|-------|
| Critical | {N} | {N} | {N} |
| High | {N} | {N} | {N} |
| Medium | {N} | {N} | {N} |
| Low | {N} | {N} | {N} |
## Verdict
{PASS | WARN | FAIL}
- **PASS**: No new Critical or High findings
- **WARN**: New Medium findings or existing High findings in touched files
- **FAIL**: New Critical or High findings introduced by this change
## New Findings (Introduced by This Change)
### DIFF-001: {Title}
- **Severity:** {severity}
- **Confidence:** {score}/100
- **Classification:** NEW
- **File:** {path}:{line}
- **Diff Context:**
```diff
{relevant diff hunk}
| Package | Change | Risk |
|---|---|---|
| {name} | Added v{X} | {assessment} |
| {name} | Updated {old} → {new} | {assessment} |
| {name} | Removed | No risk |
{List of filtered files with reason (docs, generated, assets)}
## PR Comment Format
For integration with PR workflows, also produce a concise summary suitable for a PR comment:
```markdown
## Security Scan Results
{PASS ✓ | WARN ⚠ | FAIL ✗}
**New findings:** {N} ({breakdown})
**Existing findings in touched files:** {N}
{If FAIL: list top 3 new critical/high findings with file:line}
{If WARN: brief note on what to review}
{If PASS: "No new security issues detected in this change."}