Problem Description

Currently, when running KICS scans on pull requests, the action reports findings for all files across the entire repository, even when the PR only changes a small subset of files. This creates significant noise in PR reviews, making it difficult for developers to focus on security issues that are actually relevant to their changes.

For example, if a PR modifies 3 files but the repository contains 100+ files with existing security findings, the PR comments and annotations will show all findings from all 100+ files, overwhelming the reviewer with information that isn't related to the current changes.

Proposed Solution

Implement diff-aware reporting that filters KICS results to only include findings in:

• Files that were modified in the pull request
• Specific lines that were changed within those files

This would dramatically reduce noise and help developers focus on security issues introduced or affected by their specific changes.

Implementation Details

I've implemented this feature and would like to contribute it. The solution includes:

New Optional Parameter:

• enable_diff_aware_reporting (Boolean, default: false)
• Only activates when running in PR context
• Fully backward compatible - existing workflows continue unchanged

Technical Approach:

1. Uses GitHub API (octokit.rest.pulls.listFiles) to fetch changed files in the PR
2. Parses Git patch strings to identify specific changed line numbers
3. Filters KICS results to only include findings matching changed files/lines
4. Recalculates severity counters and statistics for filtered results
5. Passes filtered results to existing annotation and comment functions

Code Organization:

• New src/filter.js module handles all diff-aware logic
• Minimal changes to existing files
• Clean separation of concerns following project conventions

Benefits

✅ Reduced noise - PR reviews focus only on relevant security findings
✅ Better developer experience - Faster PR reviews with actionable feedback
✅ Backward compatible - Existing workflows unaffected
✅ Optional - Teams can choose when to enable this feature
✅ Accurate - Line-level precision ensures only truly relevant findings are shown

Usage Example

- name: Run KICS Scan with Diff-Aware Reporting
  uses: checkmarx/[email protected]
  with:
    path: 'src,terraform'
    token: ${{ secrets.GITHUB_TOKEN }}
    enable_comments: true
    enable_diff_aware_reporting: true  # New parameter

I have a working implementation that's been tested and is ready for contribution. Would you be interested in reviewing a pull request for this feature?