---
name: security-diff
description: Compare scan results against a stored baseline — shows new, resolved, unchanged, and moved findings
---

# Security Diff

Compare current scan against a stored baseline to track security changes over time.

## Step 1: Check Baseline

Check if a baseline exists:
```bash
ls <plugin-root>/reports/baselines/
```

If no baselines exist, this is a first run — the scan will create the initial baseline.

## Step 2: Run Scan with Baseline

```bash
node <plugin-root>/scanners/scan-orchestrator.mjs "<target>" --baseline --save-baseline
```

Target = `$ARGUMENTS` or current working directory.

## Step 3: Display Results

**First run (no prior baseline):** Show baseline created summary with finding counts.

**Subsequent runs:** Parse diff output showing:
- **New** findings (not in baseline)
- **Resolved** findings (in baseline but not current)
- **Moved** findings (same finding, different location)
- **Unchanged** findings (same as baseline)

Format as tables for each category.

## Step 4: Advisory

- All resolved, no new: "Security improving."
- New findings detected: "Regression detected. Review new findings."
- No changes: "Stable. No security changes since last baseline."