diff-scanning-with-aws-security-agent
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAWS Security Agent — Diff Scan
AWS Security Agent — 差异扫描
Scan only the code that changed since a git ref. Faster than a full scan — focuses findings on the diff. No prior full scan needed.
仅扫描自git ref以来变更的代码。比全量扫描更快——将检测结果聚焦于差异部分。无需预先进行全量扫描。
Local state
本地状态
Read for and . If missing, run the workflow inline first.
.security-agent/config.jsonagent_space_idregionsetup-security-agentTrack scans in .
.security-agent/scans.json读取中的和。如果缺失,请先内联运行工作流。
.security-agent/config.jsonagent_space_idregionsetup-security-agent在中跟踪扫描记录。
.security-agent/scans.jsonResolving the values you need
获取所需值
| Placeholder | How to resolve |
|---|---|
| |
| |
| |
| |
| |
| |
| 占位符 | 获取方式 |
|---|---|
| |
| |
| |
| |
| |
| |
Workflow
工作流
-
Pre-scan checks. Same as full scan — read config, verify agent space, resolve values, generate workspace ID.
-
Ask what to scan against:
- Uncommitted changes → (default)
BASE_REF=HEAD - Branch vs main →
BASE_REF=main - Custom ref → user provides
- Uncommitted changes →
-
Generate diff (fail fast if empty):bash
cd <absolute-workspace-path> if [ "$BASE_REF" = "HEAD" ]; then git diff HEAD > /tmp/diff.patch else git diff "$BASE_REF..HEAD" > /tmp/diff.patch fi [ -s /tmp/diff.patch ] || { echo "No changes vs $BASE_REF"; exit 1; } -
Zip the workspace (same exclusions as full scan, 2 GB limit):bash
cd <absolute-workspace-path> zip -r /tmp/source.zip . \ -x ".git/*" -x ".security-agent/*" -x "node_modules/*" \ -x "__pycache__/*" -x ".venv/*" -x "venv/*" \ -x "dist/*" -x "build/*" -x "target/*" \ -x ".mypy_cache/*" -x ".pytest_cache/*" -x ".tox/*" \ -x ".next/*" -x "cdk.out/*" -x ".DS_Store" -x "*.pyc" -
Upload both source zip and diff patch:bash
SCAN_ID="diff-$(date +%s)-$(openssl rand -hex 3)" aws s3 cp /tmp/source.zip s3://<bucket>/security-scans/source/<WORKSPACE_ID>/source.zip aws s3 cp /tmp/diff.patch s3://<bucket>/security-scans/diffs/${SCAN_ID}/diff.patch -
Get or create per-workspace CodeReview (same logic as full scan — lookup, create if absent):
config.json → code_reviews[<abs_path>]bashaws securityagent create-code-review --agent-space-id <id> --title <title> \ --service-role <role-arn> \ --assets sourceCode=[{s3Location=s3://<bucket>/security-scans/source/<WORKSPACE_ID>/source.zip}] -
Start the diff job:bash
aws securityagent start-code-review-job --agent-space-id <id> --code-review-id <cr-id> \ --diff-source s3Uri=s3://<bucket>/security-scans/diffs/${SCAN_ID}/diff.patchIf: recreate CodeReview and retry.ResourceNotFoundException -
Capture. Persist to
codeReviewJobIdwithscans.jsonandscan_type: "DIFF".base_ref -
Tell user: "Diff scan started. Takes a few minutes. I'll check every 2 minutes — say 'stop polling' to opt out."
-
Poll every 2 minutes:bash
aws securityagent batch-get-code-review-jobs --agent-space-id <id> --code-review-job-ids <job_id>Only respond when status changes. On COMPLETED → fetch findings. -
Findings: same presentation as full scan — grouped by severity, report written to.
.security-agent/findings-{scan_id}.md
-
扫描前检查。与全量扫描相同——读取配置、验证agent空间、解析值、生成工作区ID。
-
询问扫描基准:
- 未提交的变更 → (默认值)
BASE_REF=HEAD - 分支与主分支对比 →
BASE_REF=main - 自定义基准 → 由用户提供
- 未提交的变更 →
-
生成差异(无变更则快速失败):bash
cd <absolute-workspace-path> if [ "$BASE_REF" = "HEAD" ]; then git diff HEAD > /tmp/diff.patch else git diff "$BASE_REF..HEAD" > /tmp/diff.patch fi [ -s /tmp/diff.patch ] || { echo "No changes vs $BASE_REF"; exit 1; } -
压缩工作区(与全量扫描排除相同路径,限制2GB):bash
cd <absolute-workspace-path> zip -r /tmp/source.zip . \ -x ".git/*" -x ".security-agent/*" -x "node_modules/*" \ -x "__pycache__/*" -x ".venv/*" -x "venv/*" \ -x "dist/*" -x "build/*" -x "target/*" \ -x ".mypy_cache/*" -x ".pytest_cache/*" -x ".tox/*" \ -x ".next/*" -x "cdk.out/*" -x ".DS_Store" -x "*.pyc" -
上传源码压缩包和差异补丁:bash
SCAN_ID="diff-$(date +%s)-$(openssl rand -hex 3)" aws s3 cp /tmp/source.zip s3://<bucket>/security-scans/source/<WORKSPACE_ID>/source.zip aws s3 cp /tmp/diff.patch s3://<bucket>/security-scans/diffs/${SCAN_ID}/diff.patch -
获取或创建工作区专属CodeReview(与全量扫描逻辑相同——查找,不存在则创建):
config.json → code_reviews[<abs_path>]bashaws securityagent create-code-review --agent-space-id <id> --title <title> \ --service-role <role-arn> \ --assets sourceCode=[{s3Location=s3://<bucket>/security-scans/source/<WORKSPACE_ID>/source.zip}] -
启动差异扫描任务:bash
aws securityagent start-code-review-job --agent-space-id <id> --code-review-id <cr-id> \ --diff-source s3Uri=s3://<bucket>/security-scans/diffs/${SCAN_ID}/diff.patch如果出现:重新创建CodeReview并重试。ResourceNotFoundException -
记录。将其与
codeReviewJobId和scan_type: "DIFF"一起保存到base_ref中。scans.json -
告知用户:“差异扫描已启动。需耗时数分钟。我会每2分钟检查一次——输入‘停止轮询’即可退出。”
-
轮询:每2分钟执行一次:bash
aws securityagent batch-get-code-review-jobs --agent-space-id <id> --code-review-job-ids <job_id>仅在状态变更时反馈。扫描完成(COMPLETED)后→获取检测结果。 -
检测结果:与全量扫描展示方式相同——按严重程度分组,报告写入。
.security-agent/findings-{scan_id}.md
Rules
规则
- Diff scans are standalone — no prior full scan needed
- Poll every 2 minutes, not faster
- Default to if user doesn't specify
BASE_REF=HEAD - Title: (no spaces)
diff-<git-branch>-<timestamp> - If diff is empty, tell user and stop — don't start a scan
- 差异扫描可独立运行——无需预先进行全量扫描
- 每2分钟轮询一次,不可更频繁
- 如果用户未指定,默认
BASE_REF=HEAD - 标题格式:(无空格)
diff-<git-branch>-<timestamp> - 如果无差异,告知用户并终止流程——不启动扫描