Scan Diff
Compare two scan results to track what changed. Catches ClickOps changes, manual console edits, and security regressions that IaC scanning misses.
Usage
bash
cloud-audit diff yesterday.json today.json
Output
``` Score Change: 54 -> 68 (+14)
Fixed (2): CRITICAL aws-iam-001 root Root account without MFA HIGH aws-vpc-002 sg-abc123 SG open on port 22
New (1): HIGH aws-rds-001 staging-db RDS publicly accessible
Unchanged (8): ... ```
Output Formats
bash
cloud-audit diff old.json new.json # Terminal (Rich)
cloud-audit diff old.json new.json --format markdown # Markdown
cloud-audit diff old.json new.json --format json # JSON
Exit Codes
| Code | Meaning |
|---|---|
| 0 | No new findings (regressions) |
| 1 | Regression detected (new findings appeared) |
| 2 | Error (bad file, incompatible scans) |
CI/CD: Daily Drift Detection
Use the daily-scan-with-diff.yml workflow to run a daily scan, compare against yesterday's baseline, and get notified on regressions.
This is the most common CI/CD setup. It catches changes that Terraform plan cannot see because it scans live AWS, not code.
Scope Warnings
If two scans cover different regions or accounts, the diff command warns about scope mismatch before showing results.