Run a fast AWS Security Agent diff scan on only the changed code since a git ref. Use when the user asks to scan changes, run a diff scan, check what changed for security issues, scan before committing, scan before PR, or any pre-commit/pre-push security check.
Installation
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Run a fast AWS Security Agent diff scan on only the changed code since a git ref. Use when the user asks to scan changes, run a diff scan, check what changed for security issues, scan before committing, scan before PR, or any pre-commit/pre-push security check.
AWS Security Agent — Diff Scan
Scan only the code that changed since a git ref. Faster than a full scan — focuses findings on the diff. No prior full scan needed.
Local state
Read .security-agent/config.json for agent_space_id and region. If missing, run the setup-security-agent workflow inline first.
Track scans in .security-agent/scans.json.
Resolving the values you need
Placeholder
How to resolve
<id> (agent space)
config.agent_space_id
<region>
config.region (default us-east-1)
<account>
aws sts get-caller-identity --query Account --output text
<role-arn>
arn:aws:iam::<account>:role/SecurityAgentScanRole
<bucket>
security-agent-scans-<account>-<region>
<WORKSPACE_ID>
printf '%s' "$(pwd)" | md5sum | cut -c1-12
Workflow
Pre-scan checks. Same as full scan — read config, verify agent space, resolve values, generate workspace ID.
Ask what to scan against:
Uncommitted changes → BASE_REF=HEAD (default)
Branch vs main → BASE_REF=main
Custom ref → user provides
Generate diff (fail fast if empty):
cd <absolute-workspace-path>
if [ "$BASE_REF" = "HEAD" ]; then
git diff HEAD > /tmp/diff.patch
else
git diff "$BASE_REF..HEAD" > /tmp/diff.patch
fi
[ -s /tmp/diff.patch ] || { echo"No changes vs $BASE_REF"; exit 1; }
Zip the workspace (same exclusions as full scan, 2 GB limit):