Run a fast AWS Security Agent diff scan on only the changed code since a git ref. Use when the user asks to scan changes, run a diff scan, check what changed for security issues, scan before committing, scan before PR, or any pre-commit/pre-push security check.
Run a fast AWS Security Agent diff scan on only the changed code since a git ref. Use when the user asks to scan changes, run a diff scan, check what changed for security issues, scan before committing, scan before PR, or any pre-commit/pre-push security check.
AWS Security Agent — Diff Scan
Scan only the code that changed since a git ref. Faster than a full scan — focuses findings on the diff. No prior full scan needed.
Local state
Read .security-agent/config.json for agent_space_id and region. If missing, run the setup-security-agent workflow inline first.
Track scans in .security-agent/scans.json.
Resolving the values you need
Placeholder
How to resolve
<id> (agent space)
config.agent_space_id
<region>
config.region (default us-east-1)
<account>
aws sts get-caller-identity --query Account --output text
<role-arn>
arn:aws:iam::<account>:role/SecurityAgentScanRole
<bucket>
security-agent-scans-<account>-<region>
<WORKSPACE_ID>
printf '%s' "$(pwd)" | md5sum | cut -c1-12
Workflow
Pre-scan checks. Same as full scan — read config, verify agent space, resolve values, generate workspace ID.
Ask what to scan against:
Uncommitted changes → BASE_REF=HEAD (default)
Branch vs main → BASE_REF=main
Custom ref → user provides
Generate diff (fail fast if empty):
cd <absolute-workspace-path>
if [ "$BASE_REF" = "HEAD" ]; then
git diff HEAD > /tmp/diff.patch
else
git diff "$BASE_REF..HEAD" > /tmp/diff.patch
fi
[ -s /tmp/diff.patch ] || { echo"No changes vs $BASE_REF"; exit 1; }
Zip the workspace (same exclusions as full scan, 2 GB limit):