원클릭으로
sc-diff-report
Incremental security scan for changed files only — optimized for PR and commit-level reviews
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Incremental security scan for changed files only — optimized for PR and commit-level reviews
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
| name | sc-diff-report |
| description | Incremental security scan for changed files only — optimized for PR and commit-level reviews |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Performs a targeted security scan on only the files changed in a git diff, pull request, or recent commit. This enables fast, focused security feedback during code review without the overhead of a full codebase scan. Classifies findings as "new" (introduced by changes) vs "existing" (pre-existing in touched files).
Activates when the user issues any of:
File: security-report/diff-report.md
Determine the diff scope based on user context:
PR Mode (most common):
git diff main...HEAD --name-only
git diff main...HEAD
Staged changes:
git diff --cached --name-only
git diff --cached
Last commit:
git diff HEAD~1 --name-only
git diff HEAD~1
Custom range:
git diff {base}...{head} --name-only
git diff {base}...{head}
From the diff output, build an inventory:
For each changed file, record:
Filter out changes unlikely to have security impact:
.md, .txt, .rst) — skip unless they contain configgenerated markers)If lock files or manifests changed:
package.json / package-lock.json — extract added/removed/updated packagesgo.mod / go.sum — extract module changesCargo.toml / Cargo.lock — extract crate changesrequirements.txt / poetry.lock — extract package changesBased on changed files, activate only relevant skills:
| Changed File Pattern | Skills to Activate |
|---|---|
*.go | sc-lang-go, sc-sqli, sc-cmdi, sc-ssrf, sc-auth, sc-race-condition |
*.ts, *.tsx, *.js, *.jsx | sc-lang-typescript, sc-xss, sc-sqli, sc-secrets, sc-auth |
*.py | sc-lang-python, sc-sqli, sc-cmdi, sc-ssti, sc-deserialization |
*.php | sc-lang-php, sc-sqli, sc-xss, sc-cmdi, sc-deserialization, sc-path-traversal |
*.rs | sc-lang-rust, sc-cmdi, sc-race-condition |
*.java, *.kt | sc-lang-java, sc-sqli, sc-deserialization, sc-xxe, sc-rce |
*.cs | sc-lang-csharp, sc-sqli, sc-deserialization, sc-xxe |
Dockerfile*, docker-compose* | sc-docker |
*.tf, *.tfvars | sc-iac |
.github/workflows/*, .gitlab-ci.yml | sc-ci-cd |
*.graphql, *resolver*, *schema* | sc-graphql |
*.proto | sc-api-security |
.env*, *config*, *secret* | sc-secrets, sc-data-exposure |
*auth*, *login*, *session* | sc-auth, sc-session, sc-jwt |
*upload* | sc-file-upload |
*redirect*, *callback* | sc-open-redirect |
For each activated skill:
For each finding:
New finding (introduced by this change):
Existing finding (pre-existing, found while scanning touched file):
Regression (re-introduced):
Apply a lightweight version of sc-verifier logic:
# Security Diff Report
**Branch:** {branch name}
**Base:** {base branch/commit}
**Date:** {scan date}
**Files Changed:** {N}
**Files Scanned:** {N} (after filtering)
## Summary
| Category | New | Existing | Total |
|----------|-----|----------|-------|
| Critical | {N} | {N} | {N} |
| High | {N} | {N} | {N} |
| Medium | {N} | {N} | {N} |
| Low | {N} | {N} | {N} |
## Verdict
{PASS | WARN | FAIL}
- **PASS**: No new Critical or High findings
- **WARN**: New Medium findings or existing High findings in touched files
- **FAIL**: New Critical or High findings introduced by this change
## New Findings (Introduced by This Change)
### DIFF-001: {Title}
- **Severity:** {severity}
- **Confidence:** {score}/100
- **Classification:** NEW
- **File:** {path}:{line}
- **Diff Context:**
```diff
{relevant diff hunk}
| Package | Change | Risk |
|---|---|---|
| {name} | Added v{X} | {assessment} |
| {name} | Updated {old} → {new} | {assessment} |
| {name} | Removed | No risk |
{List of filtered files with reason (docs, generated, assets)}
## PR Comment Format
For integration with PR workflows, also produce a concise summary suitable for a PR comment:
```markdown
## Security Scan Results
{PASS ✓ | WARN ⚠ | FAIL ✗}
**New findings:** {N} ({breakdown})
**Existing findings in touched files:** {N}
{If FAIL: list top 3 new critical/high findings with file:line}
{If WARN: brief note on what to review}
{If PASS: "No new security issues detected in this change."}