From bc1b2f21e5ce643495cdffd7e4f8fa6ec182d0f9 Mon Sep 17 00:00:00 2001
From: Jeremy Dubreil <jeremydubreil@users.noreply.github.com>
Date: Fri, 22 May 2026 14:27:43 +0200
Subject: [PATCH] feat(COD-7079): skip the IaC scan when no IaC-related files
 are modified

---
 src/index.ts | 10 +++++++++-
 src/util.ts  | 30 ++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/src/index.ts b/src/index.ts
index c34d2050..d12f996d 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -14,12 +14,13 @@ import {
   getModifiedFiles,
   getOptionalEnvVariable,
   readMarkdownFile,
+  shouldRunIaCScanner,
 } from './util'
 import { simpleGit } from 'simple-git'
 
 // Global scanner toggles - set to false to disable a scanner globally
 const enableScaRunning = true
-const enableIacRunning = true
+let enableIacRunning = false
 
 async function runAnalysis() {
   const target = getInput('target')
@@ -53,6 +54,13 @@ async function runAnalysis() {
     }
   }
 
+  // Skip the IaC scan if there no IaC-related files have been modified in the PR
+  if (modifiedFiles && target == 'new') {
+    if (shouldRunIaCScanner(modifiedFiles)) {
+      enableIacRunning = true
+    }
+  }
+
   // Create scan-results directory
   const resultsPath = path.join(process.cwd(), 'scan-results')
 
diff --git a/src/util.ts b/src/util.ts
index 6ea5589a..3fc1bb5f 100644
--- a/src/util.ts
+++ b/src/util.ts
@@ -140,6 +140,36 @@ export function getModifiedFiles(): string | undefined {
   return files || undefined
 }
 
+export function shouldRunIaCScanner(modifiedFiles: string): boolean {
+  const iacFileExtensions = ['.tf', '.hcl', '.yaml', '.yml', '.json']
+  const nonIaCFilenames = [
+    'package.json',
+    'package-lock.json',
+    'tsconfig.json',
+    'tsconfig.build.json',
+    'tslint.json',
+    'jest.config.json',
+    '.eslintrc.json',
+    '.prettierrc.json',
+    '.prettierrc.yaml',
+    '.prettierrc.yml',
+    'renovate.json',
+    'lerna.json',
+    'bower.json',
+    'composer.json',
+    'composer.lock',
+    'Pipfile.lock',
+    'cargo.lock',
+  ]
+  return modifiedFiles.split(',').some((file) => {
+    const filename = file.split('/').pop() || ''
+    if (nonIaCFilenames.includes(filename.toLowerCase())) {
+      return false
+    }
+    return iacFileExtensions.some((ext) => file.endsWith(ext))
+  })
+}
+
 // runCodesec - Docker-based scanner using codesec:latest image
 //
 // Modes: