glas-cpp: enhance the cpp engine for diff-based scanningenhance the cpp engine for diff-based scanning

Problem to solve

We need to enhance the gitlab-advanced-sast-cpp analyzer to support diff-based scanning, similar to what was implemented in GLAS in MVC: Enable Diff-Based Scanning in MRs for Fast... (&17758 - closed) • Unassigned • 18.5.\ This issue focuses solely on the analyzer logic. It does NOT include changes to the Rails backend or frontend.

(TBC)

Check feature flag / environment variable
Add logic in the analyzer to detect whether the ADVANCED_SAST_PARTIAL_SCAN variable is set
Retrieve changed files
Use git diff to collect the list of added or modified files between CI_MERGE_REQUEST_DIFF_BASE_SHA and CI_COMMIT_SHA
Generate and filter targets
Restrict analysis to the files returned by git diff, ensuring the paths match those expected by the scanning engine
Update analyzer output
Format the results to conform to the diff-based scanning schema so they integrate correctly with the existing Advanced SAST

We can reuse the ideas and implementation approach from https://gitlab.com/gitlab-org/gitlab/-/issues/540580+s.

Edited Nov 10, 2025 by Hua Yan