Skip to main content

Incremental Scans (SAST Scanner)

Definition

Notice

Incremental scans are relevant only for SAST scan type.

An incremental scan is a mechanism to scan a small portion of code in order to deliver fast results. This mechanism scans only the code that was changed from the last full scan and any code that is close to it (this is called "closure").

If an incremental scan is run, but more than 7% of the project’s files that have changed since the last full scan, a full scan is run instead.

Notice

With every incremental scan, the changes from the last full scan are accumulated.

How does it work?

The results of every incremental scan are merged with the results of its base full scan to provide a complete result set for the whole code. To understand the merge, we need to understand the different types of results. In the diagram below, only the "Changed files" and the "Closure files" are scanned by the incremental scan.

Each black line represents one result, flowing through several nodes:

6405128331.png
  • A – All of the result nodes are inside the changed files. New results like this returned from an incremental scan are “good results” that the incremental scan is expected to find.

  • B – All of the result nodes are inside the closure files. New results like this returned from an incremental scan are “bad results”, because these files weren’t changed so there cannot be a new result here. These results types are removed because they are filtered in the incremental scan and the remaining results are those that at least one of their nodes are inside the changed files (A, D).

  • C – All of the result nodes are outside the closure files. These cannot be found by the incremental scan because these files are not scanned. Results from the last full scan are merged with the incremental scan results and shown as “recurrent”.

  • D – The result nodes are inside both the changed files and the closure files. New results like these are returned from an incremental scan are “good results” that the incremental scan is expected to find.

  • E – The result nodes are both inside and outside the closure files. These kind of result cannot be found by the incremental scan because some of the result files are not scanned. Results from the last full scan are merged with the incremental scan results and shown as “recurrent”.

  • F - The result nodes are inside the changed files, inside the closure files, and also outside the closure files. This kind of result cannot be found by the incremental scan because some of the result files are not scanned. Results from the last full scan are merged with the incremental scan results and shown as “recurrent”.