Add pr_incremental option

.github/workflows/check-dist.yml

@@ -40,8 +40,8 @@ jobs:
       - name: Compare the expected and actual dist/ directories
         run: |
           if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
-            echo "Detected uncommitted changes after build.  See status below:"
-            git diff
+            echo "Detected uncommitted changes after a rebuild.  See changed files below:"
+            git diff --stat dist/
             exit 1
           fi
         id: diff

README.md

@@ -150,29 +150,28 @@ The following input parameters are also supported for the Endor Labs GitHub acti
 | `bazel_targets_query` | Specify a bazel query to determine with Bazel targets to scan. Ignored if `bazel_targets_include` is set. |
 | `enable_pr_comments` | Set to `true` to publish new findings as review comments. Must be set together with `pr` and `github_token`. Additionally, the `pull-requests: write` permissions must be set in the workflow. (Default: `false`) |
 | `export_scan_result_artifact` | Set to `false` to disable the json scan result artifact export. (Default: `true`). Artifact name appears in step output named `scan_result` |
-| `github_token` | Set the token used to authenticate with GitHub. Must be provided if `enable_pr_comments` is set to `true` |
-| `phantom_dependencies` | Set to `true` to enable phantom dependency analysis. (Default: `false`) |
+| `github_token` | Set the token used to authenticate with GitHub. Must be provided if `enable_pr_comments` is set to `true`. |
+| `image` | Specify a container image to scan. |
 | `output_file` | Set a file to save the scan results to; use this in lieu of `export_scan_result_artifact` to save any scan results data to a file in the workspace for processing by others steps in the same job, instead of the workflow run log. |
+| `phantom_dependencies` | Set to `true` to enable phantom dependency analysis. (Default: `false`) |
 | `pr_baseline` | Set to the git reference that you are merging to, such as the default branch. Enables endorctl to compare findings so developers are only alerted to issues un the current changeset. Example: `pr_baseline: "main"`. Note: Not needed if `enable_pr_comments` is set to `true`. |
+| `pr_incremental` | Set to `true` to only scan files, or packages with dependencies that have changed compared to the baseline scan. (Default: `false`) |
 | `pr` | Set to `false` to track this scan as a monitored version within Endor Labs, as opposed to a point in time policy and finding test for a PR. (Default: `true`) |
+| `project_name` | Specify a project name for a container image scan or for a package scan. |
 | `run_stats` | Set to `false` to disable reporting of CPU/RAM/time scan statistics via `time -v` (may be required on Windows runners). (Default: `true`) |
 | `sarif_file` | Set to a location on your GitHub runner to output the findings in SARIF format. |
+| `scan_container` | Scan a specified container image. The image must be set with `image` and a project can be defined with `project_name`. (Default: `false`) |
 | `scan_dependencies` | Scan git commits and generate findings for all dependencies. (Default: `true`) |
 | `scan_git_logs` | Perform a more complete and detailed scan of secrets in the repository history. Must be used together with `scan_secrets`. (Default: `false`) |
 | `scan_github_actions` | Scan source code repository for github actions used in workflow files to analyze vulnerabilities and malware. (Default: `false`) |
+| `scan_package` | Scan a specified artifact or a package. The path to an artifact must be set with `scan_path`. (Default: `false`) |
 | `scan_path` | Set the path to the directory to scan. (Default: `.`) |
-| `scan_secrets` | Scan source code repository and generate findings for secrets. See also `scan_git_logs`. (Default: `false`) |
 | `scan_sast` | Scan source code repository and generate SAST findings. (Default: `false`) |
+| `scan_secrets` | Scan source code repository and generate findings for secrets. See also `scan_git_logs`. (Default: `false`) |
 | `scan_summary_output_type` | Set the desired output format to `table`, `json`, `yaml`, or `summary`. (Default: `json`) |
 | `scan_tools` | Scan source code repository for CI/CD tools. (Default: `false`) |
 | `tags` | Specify a list of user-defined tags to add to this scan. Tags can be used to search and filter scans later. |
-| `use-bazel` | Enable the usage of Bazel for the scan. (Default: `false`)|
-| `scan_package` | Scan a specified artifact or a package. The path to an artifact must be set with `scan_path`. (Default: `false`)|
-| `scan_container` | Scan a specified container image. The image must be set with `image` and a project can be defined with `project_name`. (Default: `false`)|
-| `project_name` | Specify a project name for a container image scan or for a package scan.|
-| `image` | Specify a container image to scan.|
-| `disable_code_snippet_storage` | Set to `true` to disable storing or displaying of the source code snippet related to a finding. (Default: `false`) |
-
+| `use-bazel` | Enable the usage of Bazel for the scan. (Default: `false`) |
 
 ### Environmental Variables
 
@@ -266,6 +265,7 @@ jobs:
           scan_dependencies: true
           scan_secrets: true
           pr: true
+          pr_incremental: true # Only scan baseline diff
           scan_summary_output_type: "table"
           tags: "actor=${{ github.actor }},run-id=${{ github.run_id }}"
 ```

action.yml

@@ -36,7 +36,7 @@ inputs:
   # Use this to enable PR comments from endorctl. This is only applicable when a workflow is triggered by a PR.
   enable_pr_comments:
     description: >-
-      "Set to `true` to publish new findings as review comments. Must be used together with `pr` and `github_token`. 
+      "Set to `true` to publish new findings as review comments. Must be used together with `pr` and `github_token`.
       Additionally, the `issues: write` and `pull-requests: write` permissions must be set in the workflow."
     default: false
   # Use this to set the endorctl checksum.
@@ -47,7 +47,7 @@ inputs:
   endorctl_version:
     description: >-
       "Set to a version of endorctl to pin this specific version for use. Defaults to the latest version."
-  # Use this to enable/disable the artifact export. Works only with "json" output type. 
+  # Use this to enable/disable the artifact export. Works only with "json" output type.
   # The artifact name will be "endor-scan" and the json output file name will be "result-<RUN_ID>.json"
   export_scan_result_artifact:
     description: >-
@@ -56,7 +56,7 @@ inputs:
   # Use this to define your gcp service account.
   gcp_service_account:
     description: >-
-      "Set the target service account for GCP based authentication. GCP authentication is only enabled if this flag is set. 
+      "Set the target service account for GCP based authentication. GCP authentication is only enabled if this flag is set.
       Cannot be used with `api_key`."
   # Use this to provide the github token for your repo.
   github_token:
@@ -92,8 +92,13 @@ inputs:
   # Note that the findings are still created, but they will not block the commit unless they are new.
   pr_baseline:
     description: >-
-      'Set the baseline branch to enable action policies to only act on new findings. 
+      'Set the baseline branch to enable action policies to only act on new findings.
       Must be used together with `pr` Example: `pr_baseline: "main"`.'
+  pr_incremental:
+    description: >-
+      "Set to `true` to only scan files, or packages with dependencies that have changed compared to the baseline scan.
+      The GitHub PR ID or PR baseline must be available in order to use this option."
+    default: false
   # Use this to control if `time -v` wraps runs.
   run_stats:
     description: >-
@@ -133,7 +138,7 @@ inputs:
   # Scan all commits for exposed secrets.
   scan_git_logs:
     description: >-
-      "Perform a more complete and detailed scan of secrets in the repository history. 
+      "Perform a more complete and detailed scan of secrets in the repository history.
       Must be used together with `scan_secrets`."
     default: false
   # Scan github action workflow files
@@ -176,14 +181,14 @@ inputs:
     description: >-
       "Enable the usage of Bazel for the scan."
   bazel_exclude_targets:
-      description: >-
-        "Specify a a list of Bazel targets to exclude from scan."
+    description: >-
+      "Specify a a list of Bazel targets to exclude from scan."
   bazel_include_targets:
-      description: >-
-        "Specify a list of Bazel targets to scan. If `bazel_targets_include` is not set the `bazel_targets_query` value is used to determine with bazel targets to scan."
+    description: >-
+      "Specify a list of Bazel targets to scan. If `bazel_targets_include` is not set the `bazel_targets_query` value is used to determine with bazel targets to scan."
   bazel_targets_query:
-      description: >-
-        "Specify a Bazel query to determine with Bazel targets to scan. Ignored if `bazel_targets_include` is set."
+    description: >-
+      "Specify a Bazel query to determine with Bazel targets to scan. Ignored if `bazel_targets_include` is set."
   # Scan for phantom dependencies
   phantom_dependencies:
     default: false

dist/index.js

@@ -109824,11 +109824,12 @@ const constants_1 = __nccwpck_require__(69042);
 const utils_1 = __nccwpck_require__(71314);
 // Scan options
 function get_scan_options(options) {
-    var _a;
+    var _a, _b;
     const CI_RUN = core.getBooleanInput("ci_run"); // deprecated
     const CI_RUN_TAGS = core.getInput("ci_run_tags"); // deprecated
     const SCAN_PR = core.getBooleanInput("pr");
     const SCAN_PR_BASELINE = core.getInput("pr_baseline");
+    const SCAN_PR_INCREMENTAL = core.getBooleanInput("pr_incremental");
     const SCAN_TAGS = core.getInput("tags");
     const SCAN_DEPENDENCIES = core.getBooleanInput("scan_dependencies");
     const SCAN_TOOLS = core.getBooleanInput("scan_tools");
@@ -109849,6 +109850,7 @@ function get_scan_options(options) {
     const ENABLE_PR_COMMENTS = core.getBooleanInput("enable_pr_comments");
     const GITHUB_TOKEN = core.getInput("github_token");
     const GITHUB_PR_ID = (_a = github.context.payload.pull_request) === null || _a === void 0 ? void 0 : _a.number;
+    const GITHUB_BASE_REF = (_b = github.context.payload.pull_request) === null || _b === void 0 ? void 0 : _b.base.ref;
     const SCAN_GITHUB_ACTIONS = core.getBooleanInput("scan_github_actions");
     const USE_BAZEL = core.getBooleanInput("use_bazel");
     const BAZEL_EXCLUDE_TARGETS = core.getInput("bazel_exclude_targets");
@@ -109956,34 +109958,34 @@ function get_scan_options(options) {
         }
     }
     if (ENABLE_PR_COMMENTS && GITHUB_PR_ID) {
-        if (!SCAN_PR) {
-            core.error("The `pr` option must be enabled for PR comments. Either set `pr: true` or disable PR comments");
-        }
-        else if (!CI_RUN) {
-            core.error("The `ci-run` option has been renamed to `pr` and must be enabled for PR comments. Remove the `ci-run` configuration or disable PR comments");
-        }
-        else if (!GITHUB_TOKEN) {
+        if (!GITHUB_TOKEN) {
             core.error("`github_token` is required to enable PR comments");
         }
         else {
-            options.push(`--enable-pr-comments=true`, `--github-pr-id=${GITHUB_PR_ID}`, `--github-token=${GITHUB_TOKEN}`);
+            options.push(`--pr=true`, `--enable-pr-comments=true`, `--github-pr-id=${GITHUB_PR_ID}`, `--github-token=${GITHUB_TOKEN}`);
         }
     }
     if (CI_RUN && SCAN_PR) {
         // Both are enabled by default so only set this flag if neither option has been disabled
         options.push(`--pr=true`);
     }
-    if (SCAN_PR_BASELINE) {
-        if (!SCAN_PR) {
-            core.error("The `pr` option must also be enabled if `pr_baseline` is set. Either set `pr: true` or remove the PR baseline");
-        }
-        else if (!CI_RUN) {
-            core.error("The `ci-run` option has been renamed to `pr` and must be enabled if `pr_baseline` is set. Remove the `ci-run` configuration or the PR baseline");
+    if (SCAN_PR_INCREMENTAL) {
+        if (!GITHUB_PR_ID && !SCAN_PR_BASELINE) {
+            core.error("The GitHub PR ID or PR baseline must be available for `pr_incremental` to work");
         }
         else {
-            options.push(`--pr-baseline=${SCAN_PR_BASELINE}`);
+            options.push(`--pr=true`);
+            options.push(`--pr-incremental=true`);
+            if (!SCAN_PR_BASELINE && !ENABLE_PR_COMMENTS) {
+                // For backwards compatibility with older endorctl versions
+                options.push(`--pr-baseline=${GITHUB_BASE_REF}`);
+            }
         }
     }
+    if (SCAN_PR_BASELINE) {
+        options.push(`--pr=true`);
+        options.push(`--pr-baseline=${SCAN_PR_BASELINE}`);
+    }
     // Deprecated
     if (CI_RUN_TAGS) {
         options.push(`--ci-run-tags=${CI_RUN_TAGS}`);

src/scan.ts

@@ -17,6 +17,7 @@ function get_scan_options(options: any[]): void {
   const CI_RUN_TAGS = core.getInput("ci_run_tags"); // deprecated
   const SCAN_PR = core.getBooleanInput("pr");
   const SCAN_PR_BASELINE = core.getInput("pr_baseline");
+  const SCAN_PR_INCREMENTAL = core.getBooleanInput("pr_incremental");
   const SCAN_TAGS = core.getInput("tags");
   const SCAN_DEPENDENCIES = core.getBooleanInput("scan_dependencies");
   const SCAN_TOOLS = core.getBooleanInput("scan_tools");
@@ -40,6 +41,7 @@ function get_scan_options(options: any[]): void {
   const ENABLE_PR_COMMENTS = core.getBooleanInput("enable_pr_comments");
   const GITHUB_TOKEN = core.getInput("github_token");
   const GITHUB_PR_ID = github.context.payload.pull_request?.number;
+  const GITHUB_BASE_REF = github.context.payload.pull_request?.base.ref;
   const SCAN_GITHUB_ACTIONS = core.getBooleanInput("scan_github_actions");
 
   const USE_BAZEL = core.getBooleanInput("use_bazel");
@@ -173,18 +175,11 @@ function get_scan_options(options: any[]): void {
   }
 
   if (ENABLE_PR_COMMENTS && GITHUB_PR_ID) {
-    if (!SCAN_PR) {
-      core.error(
-        "The `pr` option must be enabled for PR comments. Either set `pr: true` or disable PR comments"
-      );
-    } else if (!CI_RUN) {
-      core.error(
-        "The `ci-run` option has been renamed to `pr` and must be enabled for PR comments. Remove the `ci-run` configuration or disable PR comments"
-      );
-    } else if (!GITHUB_TOKEN) {
+    if (!GITHUB_TOKEN) {
       core.error("`github_token` is required to enable PR comments");
     } else {
       options.push(
+        `--pr=true`,
         `--enable-pr-comments=true`,
         `--github-pr-id=${GITHUB_PR_ID}`,
         `--github-token=${GITHUB_TOKEN}`
@@ -196,19 +191,24 @@ function get_scan_options(options: any[]): void {
     // Both are enabled by default so only set this flag if neither option has been disabled
     options.push(`--pr=true`);
   }
-  if (SCAN_PR_BASELINE) {
-    if (!SCAN_PR) {
+  if (SCAN_PR_INCREMENTAL) {
+    if (!GITHUB_PR_ID && !SCAN_PR_BASELINE) {
       core.error(
-        "The `pr` option must also be enabled if `pr_baseline` is set. Either set `pr: true` or remove the PR baseline"
-      );
-    } else if (!CI_RUN) {
-      core.error(
-        "The `ci-run` option has been renamed to `pr` and must be enabled if `pr_baseline` is set. Remove the `ci-run` configuration or the PR baseline"
+        "The GitHub PR ID or PR baseline must be available for `pr_incremental` to work"
       );
     } else {
-      options.push(`--pr-baseline=${SCAN_PR_BASELINE}`);
+      options.push(`--pr=true`);
+      options.push(`--pr-incremental=true`);
+      if (!SCAN_PR_BASELINE && !ENABLE_PR_COMMENTS) {
+        // For backwards compatibility with older endorctl versions
+        options.push(`--pr-baseline=${GITHUB_BASE_REF}`);
+      }
     }
   }
+  if (SCAN_PR_BASELINE) {
+    options.push(`--pr=true`);
+    options.push(`--pr-baseline=${SCAN_PR_BASELINE}`);
+  }
 
   // Deprecated
   if (CI_RUN_TAGS) {