open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/commands/diff.md

2.8 KiB
Raw Blame History

name description allowed-tools model
security:diff Compare scan results against a stored baseline — shows new, resolved, unchanged, and moved findings Bash, Read, AskUserQuestion sonnet

/security diff [path]

Run a deterministic deep scan and compare results against a stored baseline. Shows what changed since the last saved scan.

Step 1: Check for Existing Baseline

Determine plugin root (parent of this commands/ folder) and target path from $ARGUMENTS (default .).

Check if a baseline already exists:

ls -la <plugin-root>/reports/baselines/ 2>/dev/null

If baseline files exist for the target, inform the user:

A baseline already exists. Running /security diff will overwrite it with new results.

Use AskUserQuestion to ask: "Overwrite existing baseline and run diff? (The previous baseline will be replaced.)"

If the user declines, exit without scanning. If the user confirms (or no baseline exists yet), proceed to Step 2.

Step 2: Run Scan with Baseline Comparison

node <plugin-root>/scanners/scan-orchestrator.mjs "<target>" --baseline --save-baseline

Parse stdout JSON. The scan runs all 9 scanners, diffs against any existing baseline, then saves the new results as the current baseline.

If no baseline exists yet (diff is null in output), this is a first run — report that a baseline has been created and show the current scan summary instead of a diff.

Step 3: Display Results

First run (no prior baseline)

## Baseline Created

No prior baseline found. Current scan saved as baseline.

**Findings:** XC XH XM XL XI | **Risk Score:** X/100 | **Verdict:** ALLOW/WARNING/BLOCK

Run `/security diff` again after making changes to see the delta.

Subsequent runs (diff available)

## Security Diff: <target>

**Baseline:** <baseline_timestamp> → **Current:** <now>

### Summary
| Category | Count |
|----------|-------|
| New      | X     |
| Resolved | X     |
| Moved    | X     |
| Unchanged| X     |

For New findings (sorted critical → info):

### New Findings (X)
| # | Severity | Scanner | Title | File | OWASP |

For Resolved findings:

### Resolved Findings (X)
| # | Severity | Scanner | Title | File | OWASP |

For Moved findings (only if count > 0):

### Moved Findings (X)
| # | Severity | Scanner | Title | File | Previous Location |

Omit Unchanged findings from the output — they add noise. Mention count in summary only.

Step 4: Advisory

  • If new CRITICAL/HIGH findings: "Action required: X new critical/high findings since baseline."
  • If resolved > new: "Improving: more findings resolved than introduced."
  • If new > 0 and resolved == 0: "Regression: X new findings, none resolved."
  • If new == 0 and resolved == 0: "Stable: no changes since baseline."