vulkro diff
Compare the current API surface and findings against a saved scan or a git ref. Produces a per-finding delta - added, fixed, unchanged.
Usage
vulkro diff [BASE] [PATH] [--format FMT]
Arguments
| Argument | Description | Default |
|---|---|---|
BASE | Git ref or saved-scan label to compare against. | main |
PATH | Project root. | . |
How matching works
Findings are matched by a stable finding_key rather than file/line, so
reordering a function or adding a new line above a finding doesn't
generate spurious "added" / "removed" pairs.
Use case: gate PRs on new Critical/High
git checkout origin/main
vulkro scan . --save --label baseline-main
git checkout HEAD
vulkro diff baseline-main --fail-on added-critical,added-high
Combined with the --gate-vs flag on scan, this is the typical "block
PRs on regressions, ignore long-tail tech debt" CI pattern.
Output formats
table (default), json, gh-pr (markdown for gh pr comment),
junit, and csv. The gh-pr format groups by added / fixed and
suppresses unchanged.
Related
vulkro scan --gate-vsvulkro history- See also: Baselines explained -
vulkro diffis the third comparison flavour alongside the CLI baseline file and the UI's baseline-scan flag.
Related commands
vulkro history
Lists saved scans:
vulkro history
Add --save to a scan run to populate it.
vulkro trends
Shows risk-score, finding-count, MTTR, and risk-debt deltas across the saved history:
vulkro trends . --limit 30