What happened?
Context
We are using the Checkmarx AST Azure DevOps plugin to run PR scans. Our goal is to optimise PR scans by scanning only the files changes in the PR instead of the entire codebase.
Expected Behaviour
- When using
--file-include and/or --file-filter, the scan should only include the specified files or exclude the specified patterns.
Actual Behaviour
--file-filter and --file-include do not behave as expected:
- Sometimes all files are scanned, ignoring the include list.
- Sometimes everything is excluded, resulting in no findings.
Pipeline Snippet
additionalParams: '--debug --scan-types sast --sast-incremental --file-include "src/HomeController.cs,src/LogController.cs" --file-filter "**"'
Additional Clarifications
Are we using --file-include and --file-filter correctly according to the plugin’s expected behaviour?
For incremental scans, is there any way to pass baseBranch (e.g., develop) via the plugin?
Is it correct that the first scan on a new branch will always be a full scan unless the plugin supports linking to a base branch? If so, what is the recommended approach to reduce that initial scan time?
Thanks in advance for your support!
### Version
2.0.39
### Operating System & Version
Windows 10
### Specify Other OS Version
_No response_
### Relevant log output
```shell
What happened?
Context
We are using the Checkmarx AST Azure DevOps plugin to run PR scans. Our goal is to optimise PR scans by scanning only the files changes in the PR instead of the entire codebase.
Expected Behaviour
--file-includeand/or--file-filter, the scan should only include the specified files or exclude the specified patterns.Actual Behaviour
--file-filterand--file-includedo not behave as expected:Pipeline Snippet