From bb088b768935f04a36df58749411b5f26aebf843 Mon Sep 17 00:00:00 2001
From: Antony Chiu <antony@mobb.ai>
Date: Mon, 25 May 2026 11:38:04 -0600
Subject: [PATCH 1/3] feat: support scan-and-fix mode and diff-aware scanning

Make report-file optional so users can run Mobb's native scan-and-fix
mode (internal opengrep scan). Add a new diff-aware input that, when
true on a pull_request event, passes the PR base SHA to the CLI as
--baseline-commit for diff-aware scanning. README updated with a
scan-and-fix example workflow.
---
 README.md  | 50 +++++++++++++++++++++++++++++++++++++++++++++++++-
 action.yml | 31 +++++++++++++++++++++++++++----
 2 files changed, 76 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 1f36e13..b764acc 100644
--- a/README.md
+++ b/README.md
@@ -2,11 +2,16 @@
 
 This action posts the code and a SAST report to the Mobb vulnerability analysis engine and links the URL of the fix report to the PR. If you are using this on a private repo then the Mobb user the API key belongs to must have access to the repo and must approve github access for the user on the Mobb platform beforehand.
 
+The action supports two modes:
+
+- **Fix-only mode (default)**: provide an existing SAST report via `report-file` and Mobb generates fixes for the findings.
+- **Scan-and-fix mode**: omit `report-file` and the Mobb CLI runs its own SAST scan (powered by opengrep) before producing fixes. Combine with `diff-aware: true` on pull requests to limit the scan to changes since the PR base commit.
+
 ## Inputs
 
 ## `report-file`
 
-**Required** The full path of the SAST report file.
+**Optional** The full path of the SAST report file. Omitting this input switches the action into **scan-and-fix mode**: the Mobb CLI performs its own internal SAST scan (via opengrep) instead of consuming an external report.
 
 ## `api-key`
 
@@ -32,6 +37,10 @@ This action posts the code and a SAST report to the Mobb vulnerability analysis
 
 **Optional** The Organization ID to use with the Mobb platform. If not specified, the default organization will be used.
 
+## `diff-aware`
+
+**Optional** `true` or `false` (default `false`). Part of Mobb's scan-and-fix mode (enabled by omitting `report-file`). When set to `true` and the workflow is triggered by a `pull_request` event, Mobb performs a diff-aware scan limited to changes since the PR base SHA (passed to the CLI as `--baseline-commit`). Has no effect outside a pull request context.
+
 
 ## Outputs
 
@@ -41,6 +50,45 @@ The Mobb fix report URL.
 
 ## Example usage
 
+### Scan-and-fix mode with diff-aware scanning (no external SAST tool required)
+
+```yaml
+# Mobb runs its own SAST scan on the PR diff and opens fix PRs automatically.
+
+name: Mobb Scan-and-Fix
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  scan-and-fix:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      statuses: write
+      contents: read
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Mobb scan-and-fix
+        uses: mobb-dev/action@v1
+        with:
+          # report-file intentionally omitted -> enables scan-and-fix mode
+          api-key: ${{ secrets.MOBB_API_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          diff-aware: true
+          auto-pr: true
+```
+
+> Note: `diff-aware: true` requires a `pull_request` (or `pull_request_target`) trigger so the action can read `github.event.pull_request.base.sha`. On other event types the flag is silently ignored and Mobb falls back to a full scan.
+
+### Fix-only mode with an existing SAST report (Checkmarx)
+
 ```
 # This example utilizes Mobb with Checkmarx via GitHub Actions
 
diff --git a/action.yml b/action.yml
index 9585798..04b4689 100644
--- a/action.yml
+++ b/action.yml
@@ -5,8 +5,8 @@ branding:
   color: blue
 inputs:
   report-file:
-    description: "Path to SAST report file"
-    required: true
+    description: "Path to SAST report file. Omitting this input enables Mobb's scan-and-fix mode: the Mobb CLI performs its own internal SAST scan (via opengrep) instead of consuming an external report."
+    required: false
   api-key:
     description: "Mobb API key"
     required: true
@@ -25,6 +25,10 @@ inputs:
   organization-id:
     description: "Organization ID"
     required: false
+  diff-aware:
+    description: "Part of Mobb's scan-and-fix mode (enabled by omitting report-file). When true and the workflow is triggered by a pull_request event, Mobb performs a diff-aware scan limited to changes since the PR base SHA (passed as --baseline-commit). Has no effect outside PR context. Defaults to false."
+    required: false
+    default: "false"
 
 outputs:
   fix-report-url:
@@ -42,8 +46,16 @@ runs:
         REPO=${REPO%".git"}
         BRANCH=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
 
-        MobbExecString="npx --yes mobbdev@latest analyze --ci -r $REPO --ref $BRANCH --api-key ${{ inputs.api-key }} -f ${{ inputs.report-file }}"
-        
+        MobbExecString="npx --yes mobbdev@latest analyze --ci -r $REPO --ref $BRANCH --api-key ${{ inputs.api-key }}"
+
+        # Append -f only if a report file was provided. When omitted, Mobb runs in scan-and-fix mode (internal opengrep scan).
+        if [ -n "${{ inputs.report-file }}" ]; then
+          echo "report-file specified: ${{ inputs.report-file }}"
+          MobbExecString+=" -f ${{ inputs.report-file }}"
+        else
+          echo "No report-file provided. Running in scan-and-fix mode (Mobb CLI will perform internal SAST scan)."
+        fi
+
         # Check if mobb-project-name exists and append it
         if [ -n "${{ inputs.mobb-project-name }}" ]; then
           echo "mobb-project-name specified: ${{ inputs.mobb-project-name }}"
@@ -77,6 +89,17 @@ runs:
           fi
         fi
 
+        # When diff-aware scan-and-fix is enabled and we are in a PR context, point --baseline-commit at the PR base SHA.
+        if [ "${{ inputs.diff-aware }}" == "true" ]; then
+          BASELINE_SHA="${{ github.event.pull_request.base.sha }}"
+          if [ -n "$BASELINE_SHA" ]; then
+            echo "diff-aware enabled, using baseline commit: $BASELINE_SHA"
+            MobbExecString+=" --baseline-commit $BASELINE_SHA"
+          else
+            echo "diff-aware enabled but no pull_request context detected; skipping --baseline-commit."
+          fi
+        fi
+
         # Output the final command string for debugging and execute it
         echo "Mobb Command: $MobbExecString"
         OUT=$(eval $MobbExecString)

From a2aea9895a46a1389dc48f9b0fe2e7fe31c3875c Mon Sep 17 00:00:00 2001
From: Antony Chiu <antony@mobb.ai>
Date: Mon, 25 May 2026 11:42:14 -0600
Subject: [PATCH 2/3] Update README.md

---
 README.md | 74 +++++++++++++++++++++++++++----------------------------
 1 file changed, 37 insertions(+), 37 deletions(-)

diff --git a/README.md b/README.md
index b764acc..06ae873 100644
--- a/README.md
+++ b/README.md
@@ -50,43 +50,6 @@ The Mobb fix report URL.
 
 ## Example usage
 
-### Scan-and-fix mode with diff-aware scanning (no external SAST tool required)
-
-```yaml
-# Mobb runs its own SAST scan on the PR diff and opens fix PRs automatically.
-
-name: Mobb Scan-and-Fix
-
-on:
-  pull_request:
-    branches:
-      - main
-
-jobs:
-  scan-and-fix:
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write
-      statuses: write
-      contents: read
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Mobb scan-and-fix
-        uses: mobb-dev/action@v1
-        with:
-          # report-file intentionally omitted -> enables scan-and-fix mode
-          api-key: ${{ secrets.MOBB_API_TOKEN }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          diff-aware: true
-          auto-pr: true
-```
-
-> Note: `diff-aware: true` requires a `pull_request` (or `pull_request_target`) trigger so the action can read `github.event.pull_request.base.sha`. On other event types the flag is silently ignored and Mobb falls back to a full scan.
-
 ### Fix-only mode with an existing SAST report (Checkmarx)
 
 ```
@@ -130,3 +93,40 @@ jobs:
           api-key: ${{ secrets.MOBB_API_TOKEN }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
 ```
+### Scan-and-fix mode with diff-aware scanning (no external SAST tool required)
+
+```yaml
+# Mobb runs its own SAST scan on the PR diff and opens fix PRs automatically.
+
+name: Mobb Scan-and-Fix
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  scan-and-fix:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      statuses: write
+      contents: read
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Mobb scan-and-fix
+        uses: mobb-dev/action@v1
+        with:
+          # report-file intentionally omitted -> enables scan-and-fix mode
+          api-key: ${{ secrets.MOBB_API_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          diff-aware: true
+          auto-pr: true
+          auto-commit: true
+```
+
+> Note: `diff-aware: true` requires a `pull_request` (or `pull_request_target`) trigger so the action can read `github.event.pull_request.base.sha`. On other event types the flag is silently ignored and Mobb falls back to a full scan.

From 5d22ec4ba9e28c32dee55413f4c95a8a69497658 Mon Sep 17 00:00:00 2001
From: Antony Chiu <antony@mobb.ai>
Date: Mon, 25 May 2026 11:42:51 -0600
Subject: [PATCH 3/3] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 06ae873..6f867eb 100644
--- a/README.md
+++ b/README.md
@@ -52,7 +52,7 @@ The Mobb fix report URL.
 
 ### Fix-only mode with an existing SAST report (Checkmarx)
 
-```
+```yaml
 # This example utilizes Mobb with Checkmarx via GitHub Actions
 
 on: [pull_request]