PR Scan - Option to scan only changed files in SAST

[attiasas]

feat(sast): add changed-files-only mode for PR SAST scans

Depends on:

• Fast sast mode using changed files jfrog-cli-security#739
• Add root dir to determine paths for sast changed files jfrog-cli-security#743
• Add Changed files to GitInfoContext jfrog-client-go#1337

Description

This PR adds support for scanning only changed files in SAST mode for pull requests.
Reduces scan scope to modified files, improving performance and shortening Frogbot PR scan times, especially in large repositories.

It threads a new sastChangedFilesOnly configuration flag from schema or env (JF_SAST_CHANGED_FILES_MODE=true ) parsing into scan execution and enriches PR Git context with modified-file data so the scanner can scope analysis to the PR diff.

Changes

• Added new config option sastChangedFilesOnly to schema and scan params parsing (schema/frogbot-schema.json, utils/params.go).
• Added env var support via JF_SAST_CHANGED_FILES_MODE and corresponding constant (utils/consts.go, utils/params.go).
• Passed the new flag into scan details and audit execution (scanpullrequest/scanpullrequest.go, utils/scandetails.go).
• Added SetSastChangedFilesOnly to ScanDetails and wired audit params with SetSastChangedFilesMode(...).
• Enhanced PR Git context creation to fetch and populate modified files (GetModifiedFiles) into ChangedFiles, while tolerating provider errors (utils/scandetails.go).
• Updated tests to cover env parsing, changed-files context population, and error handling (utils/params_test.go, utils/scandetails_test.go, scanpullrequest/scanallpullrequests_test.go).
• Updated dependencies in go.mod/go.sum (including jfrog-client-go bump and jfrog-cli-security replace to forked revision).

Testing

• Added/updated unit tests for:
  • sastChangedFilesOnly env/default precedence.
  • PR Git context changed-files population.
  • Graceful handling when GetModifiedFiles fails.

[github-actions]

---

🐸 JFrog Frogbot