Add Diff-Aware Reporting for Pull Request Scans

[yogur]

Resolves: #137

This PR implements diff-aware reporting that filters KICS results to only show findings in files and lines changed in the pull request, eliminating noise from pre-existing issues in unchanged code.

Files Changed

New:

• src/filter.js - Core diff-aware filtering logic

Modified:

• src/main.js - Integration and workflow logic
• action.yml - New enable_diff_aware_reporting input parameter
• README.md - Documentation for new parameter

Key Features

• GitHub API Integration: Fetches PR file changes via octokit.rest.pulls.listFiles
• Patch Parsing: Extracts changed line numbers from Git patch strings
• Smart Filtering: Removes findings not in changed files/lines, recalculates counters
• Noise Reduction: Skips PR comments when no relevant findings exist
• Workflow Success: Sets exit code to 0 when diff-aware filtering results in zero findings

Usage

- uses: checkmarx/kics-github-action@main
  with:
    path: 'src,terraform'
    token: ${{ secrets.GITHUB_TOKEN }}
    enable_comments: true
    enable_diff_aware_reporting: true  # New parameter

Backward Compatible: Default false, existing workflows unchanged.

[amacedoo]

Checkmarx One – Scan Summary & Details – c53a2258-6cba-48c4-a853-517a11cf1054

Great job! No new security vulnerabilities introduced in this pull request

[yogur]

Hey @cx-monica-casanova, could you please have a look at this? Is there any chance to get it reviewed and merged?

We've been using my fork across the org at my employer, and the new feature has been working well so far with no issues.

[yogur]

FYI: I rolled back the commit https://github.com/Checkmarx/kics-github-action/pull/138/commits/c4ee8f4650cd2526651d067ffc4339e833a2dcb8, which skipped posting a comment if there are no findings and diff-aware reporting was enabled, because it was preventing the comment from being updated if issues reported in a PR were fixed. This also focuses the scope of this PR.