Skip to content

Scan Diff

Compare two scan results to track what changed. Catches ClickOps changes, manual console edits, and security regressions that IaC scanning misses.

Usage

cloud-audit diff yesterday.json today.json

Output

Score Change: 54 -> 68 (+14)

Fixed (2):
  CRITICAL  aws-iam-001     root               Root account without MFA
  HIGH      aws-vpc-002     sg-abc123          SG open on port 22

New (1):
  HIGH      aws-rds-001     staging-db         RDS publicly accessible

Unchanged (8): ...

Output Formats

cloud-audit diff old.json new.json                          # Terminal (Rich)
cloud-audit diff old.json new.json --format markdown        # Markdown
cloud-audit diff old.json new.json --format json            # JSON

Exit Codes

Code Meaning
0 No new findings (regressions)
1 Regression detected (new findings appeared)
2 Error (bad file, incompatible scans)

CI/CD: Daily Drift Detection

Use the daily-scan-with-diff.yml workflow to run a daily scan, compare against yesterday's baseline, and get notified on regressions.

This is the most common CI/CD setup. It catches changes that Terraform plan cannot see because it scans live AWS, not code.

Scope Warnings

If two scans cover different regions or accounts, the diff command warns about scope mismatch before showing results.