jfrog · attiasas · Jan 30, 2025 · Feb 2, 2025 · Feb 2, 2025 · Feb 2, 2025
diff --git a/cli/docs/git/audit/help.go b/cli/docs/git/audit/help.go
@@ -1,5 +1,14 @@
 package audit
 
+import (
+	"github.com/jfrog/jfrog-cli-core/v2/plugins/components"
+)
+
 func GetDescription() string {
 	return "Audit your local git repository project for security issues."
 }
+
+func GetArguments() []components.Argument {
+	return []components.Argument{{Name: "target", Description: `Diff mode, run git diff between the cwd commit to the given target commit and audit the differences.
+	You can specify a commit hash, a branch name a tag name or a reference like HEAD~1.`}}
+}
diff --git a/cli/gitcommands.go b/cli/gitcommands.go
@@ -42,6 +42,12 @@ func getGitNameSpaceCommands() []components.Command {
 
 func GitAuditCmd(c *components.Context) error {
 	gitAuditCmd := audit.NewGitAuditCommand()
+
+	if len(c.Arguments) > 0 {
+		// Diff mode
+		gitAuditCmd.SetDiffTarget(c.Arguments[0])
+	}
+
 	// Set connection params
 	serverDetails, err := createServerDetailsWithConfigOffer(c)
 	if err != nil {

diff --git a/commands/audit/audit.go b/commands/audit/audit.go
@@ -299,6 +299,7 @@ func RunJasScans(auditParallelRunner *utils.SecurityParallelRunner, auditParams
 			auditParams.resultsContext.Watches,
 			scanResults.GetTechnologies()...,
 		),
+		auditParams.filesToScan,
 		auditParams.Exclusions()...,
 	)
 	auditParallelRunner.ResultsMu.Unlock()
@@ -343,6 +344,7 @@ func createJasScansTasks(auditParallelRunner *utils.SecurityParallelRunner, scan
 				Module:                      *module,
 				ConfigProfile:               auditParams.configProfile,
 				ScansToPerform:              auditParams.ScansToPerform(),
+				FilesToScan:                 auditParams.filesToScan,
 				SecretsScanType:             secrets.SecretsScannerType,
 				DirectDependencies:          auditParams.DirectDependencies(),
 				ThirdPartyApplicabilityScan: auditParams.thirdPartyApplicabilityScan,

diff --git a/commands/audit/auditparams.go b/commands/audit/auditparams.go
@@ -25,6 +25,8 @@ type AuditParams struct {
 	configProfile               *xscservices.ConfigProfile
 	scanResultsOutputDir        string
 	startTime                   time.Time
+	// Diff mode, scan only the files affected by the diff.
+	filesToScan []string
 }
 
 func NewAuditParams() *AuditParams {
@@ -133,3 +135,12 @@ func (params *AuditParams) createXrayGraphScanParams() *services.XrayGraphScanPa
 		ScanType:               services.Dependency,
 	}
 }
+
+func (params *AuditParams) SetFilesToScan(filesToScan []string) *AuditParams {
+	params.filesToScan = filesToScan
+	return params
+}
+
+func (params *AuditParams) FilesToScan() []string {
+	return params.filesToScan
+}
diff --git a/commands/audit/scarunner.go b/commands/audit/scarunner.go
@@ -4,6 +4,8 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"strings"
+
 	"github.com/jfrog/jfrog-cli-security/commands/audit/sca/swift"
 
 	biutils "github.com/jfrog/build-info-go/utils"
@@ -92,6 +94,15 @@ func buildDepTreeAndRunScaScan(auditParallelRunner *utils.SecurityParallelRunner
 			log.Warn(fmt.Sprintf("Couldn't determine a package manager or build tool used by this project. Skipping the SCA scan in '%s'...", targetResult.Target))
 			continue
 		}
+		if partialScan, filterDescriptors := getTargetDescriptorsToScan(targetResult.ScaResults, auditParams.filesToScan); partialScan {
+			// Diff mode, scan only the files affected by the diff.
+			if len(filterDescriptors) == 0 {
+				log.Info(fmt.Sprintf("No changed descriptors found for %s. Skipping SCA scan...", targetResult.Target))
+				continue
+			} else {
+				log.Info(fmt.Sprintf("Partial SCA scan will be performed on the following descriptors: %v", filterDescriptors))
+			}
+		}
 		// Get the dependency tree for the technology in the working directory.
 		treeResult, bdtErr := buildDependencyTree(targetResult, auditParams)
 		if bdtErr != nil {
@@ -103,20 +114,39 @@ func buildDepTreeAndRunScaScan(auditParallelRunner *utils.SecurityParallelRunner
 			_ = targetResult.AddTargetError(fmt.Errorf("failed to build dependency tree: %s", bdtErr.Error()), auditParams.AllowPartialResults())
 			continue
 		}
+		// TODO: get dependency from the changes and filter tree only to contain the changed dependencies
+		// Filter the dependency tree to contain only the changed dependencies.
+
 		// Create sca scan task
 		auditParallelRunner.ScaScansWg.Add(1)
 		// defer auditParallelRunner.ScaScansWg.Done()
 		_, taskErr := auditParallelRunner.Runner.AddTaskWithError(executeScaScanTask(auditParallelRunner, serverDetails, auditParams, targetResult, treeResult), func(err error) {
-			_ = targetResult.AddTargetError(fmt.Errorf("Failed to execute SCA scan: %s", err.Error()), auditParams.AllowPartialResults())
+			_ = targetResult.AddTargetError(fmt.Errorf("failed to execute SCA scan: %s", err.Error()), auditParams.AllowPartialResults())
 		})
 		if taskErr != nil {
-			_ = targetResult.AddTargetError(fmt.Errorf("Failed to create SCA scan task: %s", taskErr.Error()), auditParams.AllowPartialResults())
+			_ = targetResult.AddTargetError(fmt.Errorf("failed to create SCA scan task: %s", taskErr.Error()), auditParams.AllowPartialResults())
 			auditParallelRunner.ScaScansWg.Done()
 		}
 	}
 	return
 }
 
+func getTargetDescriptorsToScan(scaResults *results.ScaScanResults, filesToScan []string) (bool, []string) {
+	if len(filesToScan) == 0 {
+		return false, scaResults.Descriptors
+	}
+	filteredDescriptors := datastructures.MakeSet[string]()
+	for _, fileToScan := range filesToScan {
+		for _, descriptor := range scaResults.Descriptors {
+			if strings.HasSuffix(descriptor, fileToScan) {
+				filteredDescriptors.Add(descriptor)
+			}
+		}
+	}
+	return true, filteredDescriptors.ToSlice()
+
+}
+
 func getRequestedDescriptors(params *AuditParams) map[techutils.Technology][]string {
 	requestedDescriptors := map[techutils.Technology][]string{}
 	if params.PipRequirementsFile() != "" {

diff --git a/commands/git/audit/diffmode.go b/commands/git/audit/diffmode.go
@@ -0,0 +1,47 @@
+package audit
+
+import (
+	"github.com/jfrog/jfrog-cli-security/utils/results"
+	"github.com/jfrog/jfrog-cli-security/utils/scm"
+	"github.com/jfrog/jfrog-client-go/utils/log"
+)
+
+func filterResultsNotInDiff(scanResults *results.SecurityCommandResults, changes *scm.ChangesRelevantToScan) (onlyResultsInDiff *results.SecurityCommandResults) {
+	if changes == nil || !changes.HasFileChanges() {
+		log.Debug("No diff targets to filter results")
+		return scanResults
+	}
+	diffDescriptors := getDescriptorsFromDiff(changes.GetChangedFilesPaths())
+	// Create a new results object with the same metadata
+	onlyResultsInDiff = results.NewCommandResults(scanResults.CmdType)
+	onlyResultsInDiff.CommandMetaData = scanResults.CommandMetaData
+	// Loop over the scan targets and filter out the results that are not in the diff
+	for _, target := range scanResults.Targets {
+		// Add scan target to the new results object with the same metadata and no results
+		filterTarget := onlyResultsInDiff.NewScanResults(target.ScanTarget)
+		filterTarget.Errors = target.Errors
+		// Go over the results and filter out the ones that are not in the diff
+		filterTarget.ScaResults = filterScaResultsNotInDiff(target.ScaResults, diffDescriptors)
+		filterTarget.JasResults = filterJasResultsNotInDiff(target.JasResults, changes)
+	}
+	return
+}
+
+func getDescriptorsFromDiff(diffTargets []string) (descriptors []string) {
+	return append(descriptors, diffTargets...)
+}
+
+// Filter SCA results that are not in the diff, if at least one SCA descriptor is in the diff, the target is in the diff
+// TODO: when we can discover and match SCA issue to location at file level, we can improve filter capabilities
+func filterScaResultsNotInDiff(scaResults *results.ScaScanResults, changedDescriptors []string) (filterResults *results.ScaScanResults) {
+	if len(changedDescriptors) == 0 {
+		log.Debug("No diff targets to filter SCA results")
+		return scaResults
+	}
+	log.Warn("Filtering SCA results based on diff is not fully supported yet, all SCA results at the file level are included if changed")
+	return scaResults
+}
+
+func filterJasResultsNotInDiff(jasResults *results.JasScansResults, changes *scm.ChangesRelevantToScan) (filterResults *results.JasScansResults) {
+	return jasResults
+}
diff --git a/commands/git/audit/gitaudit.go b/commands/git/audit/gitaudit.go
@@ -72,7 +72,7 @@
 	return scmManager.GetSourceControlContext()
 }
 
-func toAuditParams(params GitAuditParams) *sourceAudit.AuditParams {
+func toAuditParams(params GitAuditParams, changes *scm.ChangesRelevantToScan) *sourceAudit.AuditParams {
 	auditParams := sourceAudit.NewAuditParams()
 	// Connection params
 	auditParams.SetServerDetails(params.serverDetails).SetInsecureTls(params.serverDetails.InsecureTls).SetXrayVersion(params.xrayVersion).SetXscVersion(params.xscVersion)
@@ -90,6 +90,10 @@
 	log.Debug(fmt.Sprintf("Results context: %+v", resultContext))
 	// Scan params
 	auditParams.SetThreads(params.threads).SetWorkingDirs([]string{params.repositoryLocalPath}).SetExclusions(params.exclusions).SetScansToPerform(params.scansToPerform)
+	if changedPaths := changes.GetChangedFilesPaths(); len(changedPaths) > 0 {
+		log.Debug(fmt.Sprintf("Diff targets: %v", changedPaths))
+		auditParams.SetFilesToScan(changedPaths)
+	}
 	// Output params
 	auditParams.SetOutputFormat(params.outputFormat)
 	// Cmd information
@@ -100,8 +104,23 @@
 }
 
 func RunGitAudit(params GitAuditParams) (scanResults *results.SecurityCommandResults) {
+	// Get diff targets to scan if needed
+	getTargetIfDiffMode(params)
+	return results.NewCommandResults(utils.SourceCode)
+
+	diffTargets, err := getDiffTargets(params)
+	if err != nil {
+		return results.NewCommandResults(utils.SourceCode).AddGeneralError(err, false)
+	}
+	if diffTargets != nil && !diffTargets.HasChanges() {
+		log.Warn("No changes detected in the diff, skipping the scan")
+		return results.NewCommandResults(utils.SourceCode)
+	}
+	log.Debug(fmt.Sprintf("Diff targets: %v", diffTargets))
+	// TODO: delete this line
+	return results.NewCommandResults(utils.SourceCode)
 	// Send scan started event
 	event := xsc.CreateAnalyticsEvent(services.CliProduct, services.CliEventType, params.serverDetails)
 	event.GitInfo = &params.source
 	event.IsGitInfoFlow = true
 	multiScanId, startTime := xsc.SendNewScanEvent(
@@ -112,13 +131,54 @@
 	)
 	params.multiScanId = multiScanId
 	params.startTime = startTime
-	// Run the scan
-	scanResults = sourceAudit.RunAudit(toAuditParams(params))
+	// Run the scan and filter results not in diff
+	scanResults = filterResultsNotInDiff(sourceAudit.RunAudit(toAuditParams(params, diffTargets)), diffTargets)
 	// Send scan ended event
 	xsc.SendScanEndedWithResults(params.serverDetails, scanResults)
 	return scanResults
 }
 
+func getTargetIfDiffMode(params GitAuditParams) (changes []scm.FileDiffGenerator, err error) {
+	if params.diffTarget == "" {
+		return
+	}
+	gitManager, err := scm.NewGitManager(params.repositoryLocalPath)
+	if err != nil {
+		return
+	}
+	if params.commonAncestor, err = gitManager.GetCommonAncestor(params.diffTarget); err != nil {
+		return
+	}
+	log.Info(fmt.Sprintf("Diff mode: comparing '%s' against target '%s' (common ancestor '%s')", params.source.LastCommitHash, params.diffTarget, params.commonAncestor))
+	diff, err := gitManager.Diff(params.diffTarget)
+	if err != nil {
+		return
+	}
+	changes = scm.FilePatchToFileDiffGenerator(diff...)
+	for _, analyzedFile := range changes {
+		log.Info(fmt.Sprintf("Analyzing file: %s", analyzedFile.String()))
+	}
+	return
+}
+
+func getDiffTargets(params GitAuditParams) (changes *scm.ChangesRelevantToScan, err error) {
+	if params.diffTarget == "" {
+		return
+	}
+	gitManager, err := scm.NewGitManager(params.repositoryLocalPath)
+	if err != nil {
+		return
+	}
+	if params.commonAncestor, err = gitManager.GetCommonAncestor(params.diffTarget); err != nil {
+		return
+	}
+	log.Info(fmt.Sprintf("Diff mode: comparing '%s' against target '%s' (common ancestor '%s')", params.source.LastCommitHash, params.diffTarget, params.commonAncestor))
+	if relevantChanges, err := gitManager.ScanRelevantDiff(params.diffTarget, params.commonAncestor); err == nil {
+		changes = &relevantChanges
+	}
+	return
+}
+
 func (gaCmd *GitAuditCommand) getResultWriter(cmdResults *results.SecurityCommandResults) *output.ResultsWriter {
 	var messages []string
 	if !cmdResults.EntitledForJas {

diff --git a/commands/git/audit/gitauditparams.go b/commands/git/audit/gitauditparams.go
@@ -12,7 +12,8 @@ import (
 
 type GitAuditParams struct {
 	// Git Params
-	source services.XscGitInfoContext
+	source     services.XscGitInfoContext
+	diffTarget string
 	// Connection params
 	serverDetails *config.ServerDetails
 	// Violations params
@@ -31,12 +32,19 @@ type GitAuditParams struct {
 	repositoryLocalPath string
 	multiScanId         string
 	startTime           time.Time
+
+	commonAncestor string
 }
 
 func NewGitAuditParams() *GitAuditParams {
 	return &GitAuditParams{}
 }
 
+func (gap *GitAuditParams) SetDiffTarget(diffTarget string) *GitAuditParams {
+	gap.diffTarget = diffTarget
+	return gap
+}
+
 func (gap *GitAuditParams) SetServerDetails(serverDetails *config.ServerDetails) *GitAuditParams {
 	gap.serverDetails = serverDetails
 	return gap

diff --git a/commands/scan/scan.go b/commands/scan/scan.go
@@ -481,6 +481,7 @@ func (scanCmd *ScanCommand) createIndexerHandlerFunc(file *spec.File, cmdResults
 						scanCmd.resultsContext.Watches,
 						targetResults.GetTechnologies()...,
 					),
+					[]string{},
 				)
 				if err != nil {
 					return targetResults.AddTargetError(fmt.Errorf("failed to create jas scanner: %s", err.Error()), false)

diff --git a/jas/common.go b/jas/common.go
@@ -42,11 +42,12 @@ type JasScanner struct {
 	ServerDetails         *config.ServerDetails
 	ScannerDirCleanupFunc func() error
 	EnvVars               map[string]string
+	FilesToScan           []string
 	Exclusions            []string
 	MinSeverity           severityutils.Severity
 }
 
-func CreateJasScanner(serverDetails *config.ServerDetails, validateSecrets bool, minSeverity severityutils.Severity, envVars map[string]string, exclusions ...string) (scanner *JasScanner, err error) {
+func CreateJasScanner(serverDetails *config.ServerDetails, validateSecrets bool, minSeverity severityutils.Severity, envVars map[string]string, filesToScan []string, exclusions ...string) (scanner *JasScanner, err error) {
 	if serverDetails == nil {
 		err = errors.New(NoServerDetailsError)
 		return
@@ -75,6 +76,7 @@ func CreateJasScanner(serverDetails *config.ServerDetails, validateSecrets bool,
 		return fileutils.RemoveTempDir(tempDir)
 	}
 	scanner.ServerDetails = serverDetails
+	scanner.FilesToScan = filesToScan
 	scanner.Exclusions = exclusions
 	scanner.MinSeverity = minSeverity
 	return
@@ -289,7 +291,7 @@ var FakeBasicXrayResults = []services.ScanResponse{
 
 func InitJasTest(t *testing.T) (*JasScanner, func()) {
 	assert.NoError(t, DownloadAnalyzerManagerIfNeeded(0))
-	scanner, err := CreateJasScanner(&FakeServerDetails, false, "", GetAnalyzerManagerXscEnvVars("", "", "", []string{}))
+	scanner, err := CreateJasScanner(&FakeServerDetails, false, "", GetAnalyzerManagerXscEnvVars("", "", "", []string{}), []string{})
 	assert.NoError(t, err)
 	return scanner, func() {
 		assert.NoError(t, scanner.ScannerDirCleanupFunc())
@@ -318,7 +320,10 @@ func ShouldSkipScanner(module jfrogappsconfig.Module, scanType jasutils.JasScanT
 	return false
 }
 
-func GetSourceRoots(module jfrogappsconfig.Module, scanner *jfrogappsconfig.Scanner) ([]string, error) {
+func GetSourceRoots(module jfrogappsconfig.Module, scanner *jfrogappsconfig.Scanner, filesToScan ...string) ([]string, error) {
+	if len(filesToScan) > 0 {
+		return filesToScan, nil
+	}
 	root, err := filepath.Abs(module.SourceRoot)
 	if err != nil {
 		return []string{}, errorutils.CheckError(err)

diff --git a/jas/runner/jasrunner.go b/jas/runner/jasrunner.go
@@ -32,6 +32,7 @@ type JasRunnerParams struct {
 	AllowPartialResults bool
 
 	ScansToPerform []utils.SubScanType
+	FilesToScan    []string
 
 	// Secret scan flags
 	SecretsScanType secrets.SecretsScanType

diff --git a/jas/runner/jasrunner_test.go b/jas/runner/jasrunner_test.go
@@ -28,7 +28,7 @@ func TestJasRunner_AnalyzerManagerNotExist(t *testing.T) {
 	defer func() {
 		assert.NoError(t, os.Unsetenv(coreutils.HomeDir))
 	}()
-	scanner, err := jas.CreateJasScanner(&jas.FakeServerDetails, false, "", jas.GetAnalyzerManagerXscEnvVars("", "", "", []string{}))
+	scanner, err := jas.CreateJasScanner(&jas.FakeServerDetails, false, "", jas.GetAnalyzerManagerXscEnvVars("", "", "", []string{}), []string{})
 	assert.NoError(t, err)
 	if scanner.AnalyzerManager.AnalyzerManagerFullPath, err = jas.GetAnalyzerManagerExecutable(); err != nil {
 		return
@@ -43,7 +43,7 @@ func TestJasRunner(t *testing.T) {
 	securityParallelRunnerForTest := utils.CreateSecurityParallelRunner(cliutils.Threads)
 	targetResults := results.NewCommandResults(utils.SourceCode).SetEntitledForJas(true).SetSecretValidation(true).NewScanResults(results.ScanTarget{Target: "target", Technology: techutils.Pip})
 
-	jasScanner, err := jas.CreateJasScanner(&jas.FakeServerDetails, false, "", jas.GetAnalyzerManagerXscEnvVars("", "", "", []string{}, targetResults.GetTechnologies()...))
+	jasScanner, err := jas.CreateJasScanner(&jas.FakeServerDetails, false, "", jas.GetAnalyzerManagerXscEnvVars("", "", "", []string{}, targetResults.GetTechnologies()...), []string{})
 	assert.NoError(t, err)
 
 	targetResults.NewScaScanResults(0, jas.FakeBasicXrayResults[0])
@@ -63,7 +63,7 @@ func TestJasRunner_AnalyzerManagerReturnsError(t *testing.T) {
 	assert.NoError(t, jas.DownloadAnalyzerManagerIfNeeded(0))
 
 	jfrogAppsConfigForTest, _ := jas.CreateJFrogAppsConfig(nil)
-	scanner, _ := jas.CreateJasScanner(&jas.FakeServerDetails, false, "", jas.GetAnalyzerManagerXscEnvVars("", "", "", []string{}))
+	scanner, _ := jas.CreateJasScanner(&jas.FakeServerDetails, false, "", jas.GetAnalyzerManagerXscEnvVars("", "", "", []string{}), []string{})
 	_, err := applicability.RunApplicabilityScan(jas.FakeBasicXrayResults, []string{"issueId_2_direct_dependency", "issueId_1_direct_dependency"}, scanner, false, applicability.ApplicabilityScannerType, jfrogAppsConfigForTest.Modules[0], 0)
 	// Expect error:
 	assert.ErrorContains(t, jas.ParseAnalyzerManagerError(jasutils.Applicability, err), "failed to run Applicability scan")