`vulkro scan --diff-only <ref>`

PR-speed mode. Restricts the scan to files that differ vs the given git ref. On a 1000-file project where the PR changes 6 files, the scan walks 6 files instead of 1000.

vulkro scan . --diff-only origin/main
vulkro scan . --diff-only HEAD~1

The filter applies BEFORE the detector dispatch runs, so the detector work itself is bounded.

Composes with --gate-vs

The two flags solve different problems:

--gate-vs <ref> runs the full scan, then filters findings to lines that changed vs the ref. Useful when you want surrounding context.
--diff-only <ref> filters the input. Useful when you want PR speed.

You can compose them:

vulkro scan . --diff-only HEAD~1 --gate-vs origin/main

For the fastest PR scan that still surfaces lines in the PR's commit range.

Fallback behaviour

If git diff --name-only <ref> returns nothing (no changed files, or git is unavailable), Vulkro logs a warning and falls back to a full scan, so the user always gets some result.

CI recipe

# .github/workflows/vulkro-pr.yml
on:
  pull_request:
jobs:
  vulkro-pr:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - run: |
          vulkro scan . \
            --diff-only origin/${{ github.base_ref }} \
            --gate-vs origin/${{ github.base_ref }} \
            --format gh-pr-inline-comments

The job uses the PR's base ref both as the diff filter and as the gating ref, so the resulting comments land directly on changed lines.

Composes with --gate-vs​

Fallback behaviour​

CI recipe​

Composes with --gate-vs

Fallback behaviour

CI recipe