Skip to content

Scan only the files modified in a PR with checkov, not all of them #7116

New issue
New issue
Open
#7119
Open
Scan only the files modified in a PR with checkov, not all of them#7116
#7119
Labels
enhancementNew feature or request
@bdovaz

Description

@bdovaz
bdovaz
opened on Feb 9, 2026

Is your feature request related to a problem? Please describe.

Right now, I see that it always scans the entire repository regardless of whether it is a PR or not.

Describe the solution you'd like

We should only scan files that have changed.

I see that some people are already asking:
bridgecrewio/checkov#6777

It seems that with -f / --file you can pass N files: https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html

I suppose @nvuillam that it would be to create a class for this linter that doesn't have one:

megalinter/megalinter/descriptors/repository.megalinter-descriptor.yml

Line 11 in 9b98bf5

- linter_name: checkov

And handle the specific case with utils.is_pr() and use this -f / --file with linter.files.

cc @echoix

Describe alternatives you've considered

Scan the entire repository even if only one file has been changed in a PR, with the performance issues that this entails.

Additional context
Add any other context or screenshots about the feature request here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions