Scan-to-scan diff
see what changed between any two executions

Purpose. Findings present in scan B but absent in scan A. Treat as regressions or fresh detections that arrived after the previous execution against the same target.

What the record carries. Returned as an array of DiffFinding entries with the module key, the composite identity key (module::finding.id), and the full scanner-emitted finding payload. Each entry is annotated with its current override status read from scan_finding_overrides for the (workspace, finding_id, target) lookup.

Triage reading. A new finding annotated with a false_positive override means the previously verified suppression now applies to the recurrence; the triager confirms whether the underlying condition has materially changed before re-running the verification. A new finding without an override means a genuine arrival the team must triage from scratch.

Purpose. Findings present in scan A but absent in scan B. Treat as closures the scanner can no longer detect against the same target.

What the record carries. Returned with the same composite identity key and module reference as the new findings bucket so closures can be matched against the live record. Override annotations carry through so a previously accepted risk that no longer fires reads as a closure under accepted_risk rather than a silent disappearance.

Triage reading. A fixed finding annotated with an active accepted_risk override means the closure can be reconciled against the exception register; a fixed finding with no override is a clean closure that can advance the engagement record to the verified state. Closures without override context are still safe to mark as such, but the audit reads the trail more cleanly when the override status is recorded alongside.

Purpose. Findings present in both scans against the same target. The recurring-detection backbone of the diff: the active backlog the team has not yet acted on, and the exception register the team has accepted.

What the record carries. Returned with the same composite identity key so the recurring identity persists across cycles. Override status carries forward without manual re-application; severity_override findings continue to read against the workspace severity, accepted_risk findings continue to surface on the exception queue, false_positive findings continue to suppress from the active backlog.

Triage reading. A growing unchanged_findings bucket on a target with no closures and no exception register entries is the most reliable on-platform signal of a stalled remediation programme. The recurring-finding count reads against the open-finding state staleness research, the security debt economics, and the SLA breach aging distribution.

Every scanner-emitted finding lands in the diff under the composite key formed by the scanner module key and the finding identifier the module assigned. The same finding identifier from two different modules does not collide; the same finding identifier from the same module across two executions matches deterministically.

The diff does not hash the full scanner result and compare strings. It walks the modules object on scan A and scan B, walks the findings array under each module, and builds two maps keyed by module::finding.id. The match is structural rather than textual, so cosmetic changes to the scanner output (timestamp fields, ordering, run metadata) never produce phantom new findings.

Both scan A and scan B must reference the same target. The diff endpoint pulls the target from scan B and uses it for the override lookup; comparing scans across mismatched targets does not produce a defensible diff, so this is enforced as an operational expectation rather than an automatic cross-target merge.

Both scan executions must belong to the same workspace as the requesting user. The Supabase query joins scan_executions on workspace_id, so a scan from workspace A cannot be diffed against a scan from workspace B even with valid scan identifiers. Row-level security enforces the tenant boundary at the database rather than only in the application layer.

Because the composite key is deterministic, the same underlying issue retains the same identity on every subsequent scan against the target. The override register keys against the same finding_id and target tuple, so suppression and acceptance decisions travel with the recurring identity without manual re-application.

Compute the diff between two scan executions for the same target. Returns the three diff buckets (new_findings, fixed_findings, unchanged_findings), the module coverage deltas (modules_only_in_a, modules_only_in_b), the cardinality summary, and per-finding override annotations. Required query parameters: scan_a and scan_b. Returns 400 when either is missing, 401 when no session, 404 when either scan is not found in the requesting workspace, 500 on internal failure. RBAC-gated through the initiate_scan permission.

Choose the baseline scan and the comparison scan. Both executions must belong to the requesting workspace, and both must reference the same target. The diff endpoint pulls the target from scan B and uses it as the canonical target for the override lookup; the comparison is undefined for mismatched targets.

Pass the older scan as scan_a and the newer scan as scan_b in the query string. The endpoint returns the three diff buckets, the module coverage deltas, and the summary counters in one JSON payload. RBAC gates the call through the initiate_scan permission so the diff authority is an explicit team capability rather than an implicit privilege.

Every entry across new_findings, fixed_findings, and unchanged_findings carries an override field populated from scan_finding_overrides. A null override means no active suppression or acceptance for the (workspace, finding_id, target) tuple. A populated override means the existing decision applies to the recurrence and the triage queue can read the disposition without re-evaluating from scratch.

Check modules_only_in_a and modules_only_in_b before treating fixed_findings as remediation evidence. A finding that disappears because the module that detected it did not run in scan B is a coverage artifact rather than a closure. The platform surfaces the modules-only lists explicitly so the engagement record never carries a closure that the next analyst cannot defend.

The diff result reads against the engagement record alongside the underlying scan executions, the override register, and the activity log. The audit reconstructs the closure from the diff (what was fixed), the coverage deltas (which modules ran), the override register (which decisions persist), and the activity log (who triggered the diff and when).

A vulnerability management team runs weekly external scans against the production estate. Every Monday the team diffs the latest scan against the previous week to see what arrived, what closed, and what persists. The override annotation surfaces the previously accepted risks and the previously suppressed false positives so the recurring backlog reads cleanly against the active work; the module coverage delta surfaces any coverage drop that needs reconciling before the weekly leadership review.

An AppSec team runs authenticated scans before and after a major release. The pre-release scan is the baseline; the post-release scan is the comparison. The fixed_findings bucket reads as remediation evidence the release shipped; the new_findings bucket reads as regressions that landed alongside the release. The override annotations carry the previously accepted risks so the team distinguishes a real regression from a recurring exception that was already documented.

A GRC team preparing for ISO 27001 surveillance and SOC 2 fieldwork needs to demonstrate that the scanner-detected backlog is managed rather than left to accumulate. The diff result over time reads as an audit-defensible evidence chain: every closure is paired with the prior detection, every regression is paired with a triage record, every recurring exception is paired with the override register. The closure narrative reads against ISO 27001 Annex A.8.8, SOC 2 CC7.1 and CC7.2, and NIST SP 800-53 RA-5 and SI-2.

A security engineering team uses the diff endpoint to feed the developer queue: every new_findings entry annotated with no override becomes a ticket for the appropriate squad, every unchanged_findings entry that has aged past the SLA becomes an escalation, every fixed_findings entry that has an associated override is reconciled against the exception register. The diff is the operational anchor between the scanner output and the developer workflow without requiring a separate ingestion job.

A security operations team operates daily continuous monitoring schedules on the highest-value targets. The diff between successive daily executions reads as the trend signal: a positive new_findings count is a regression alert, a sustained unchanged_findings count is a stalled remediation signal, a coverage delta in modules_only_in_a is a module-failure alert. The team reads the trend off the diff rather than reconstructing it from raw scan outputs.