Open Source  ·  Rust  ·  MIT License

DiffCatcher

A Rust CLI that recursively scans Git repos, captures state changes, generates diffs, extracts code elements, and produces security-focused reports — all in one command.

#rust #git #security #code-review #diff-analysis #static-analysis #devops #cli-tool #audit
⭐ Star on GitHub 🚀 Quick Install
18+
Built-in Security
Patterns
10+
Supported
Languages
4
Report Formats
(JSON, MD, TXT, SARIF)
Repos Scanned
in Parallel
The Problem

Monitoring many repos is
painful & error-prone

When you manage dozens of Git repositories, keeping track of what changed, what's security-relevant, and generating reviews manually is an endless chore.

😩

Manual diffs everywhere

Running git pull && git diff across 30 repos by hand wastes hours and misses things.

🔍

No cross-repo visibility

Security issues like hardcoded secrets or SQL injections scattered across repos go unnoticed.

📊

No structured reports

Raw patches are hard to read, impossible to pipe into CI/CD, and don't highlight what matters.

🛡️

Security reviews are slow

Code auditors need to manually identify which changed functions touch crypto, auth, or secrets.

How It Works

One command.
Everything automated.

📂

Discover

Recursive repo scanning

⬇️

Fetch / Pull

Safe state capture

🔀

Diff

N vs N-1 unified diff

🧩

Extract

Functions, types, imports

🚨

Tag

Security pattern match

📋

Report

JSON / MD / SARIF

Quick Start

Zero setup.
Instant results.

bash — 80×24
# Scan ALL repos under ~/projects — fetch-only, safe.
$ diffcatcher ~/projects
 
# Pull updates + full security report in one shot
$ diffcatcher ~/projects --pull -o ./report
 
# PR review mode — diff two branches in a single repo
$ diffcatcher ./my-repo --diff main..feature/auth
 
# SARIF output — upload straight to GitHub Code Scanning
$ diffcatcher ~/projects --summary-format sarif,json
 
# Crank up parallelism for large monorepos
$ diffcatcher ~/projects -j 8 --quiet
 
Found 12 repos    167 elements extracted    23 security tags
./report/security_overview.md
Features

Everything a code auditor
could want.

📂

Recursive Repo Discovery

Auto-find all Git repos in any directory tree. Configurable filters, depth limits, symlink following.

--nested --follow-symlinks
🔀

Smart Diff Engine

N vs N-1 diffs with historical depth config. Full unified patch files + file manifests per repo.

--history-depth 5
🧩

Code Element Extraction

Identifies functions, structs, classes, imports + more across 10+ languages with full snippets.

10+ languages
🚨

Security Pattern Tagging

18 built-in patterns: crypto, auth, secrets, SQL injection, XSS, path traversal, and more.

18 built-in tags
📋

Multi-Format Reports

JSON, Markdown, plain text, and SARIF 2.1.0 output. Cross-repo security aggregation built-in.

SARIF · JSON · MD

Parallel Processing

Configurable thread pool, LRU caching, incremental mode — blazing fast even at scale.

-j 8 --incremental
🌿

Branch-Diff / PR Mode

Diff any two refs without touching the working tree. Perfect for PR reviews before merging.

--diff main..feature
🔌

Plugin System

Extend security patterns and element extractors via JSON plugins without touching source.

--security-plugin-file
⚙️

Config File Support

Drop a .diffcatcher.toml in your project. CLI flags always override config values.

.diffcatcher.toml
Snippet Extraction

Full code context,
not just line numbers.

DiffCatcher extracts the complete before/after source of every changed function — boundaries detected, context preserved. Security-tagged elements are flagged immediately.

📄 snippets / 002_validate_token_BEFORE.rs → AFTER.rs ⚠ security: auth, crypto
12 fn validate_token(token: &str) -> Result<Claims, Error> {
13 - let secret = "hardcoded_secret_123";
13 + let secret = env::var("JWT_SECRET")?;
14 - decode::<Claims>(token, &DecodingKey::from_secret(secret.as_ref()), &Validation::default())
14 + let validation = Validation::new(Algorithm::RS256);
15 + decode::<Claims>(token, &DecodingKey::from_secret(secret.as_bytes()), &validation)
16 }
Security Tagging

18 patterns. Zero
configuration needed.

Every changed element is automatically checked against built-in security patterns. Custom plugins let you add domain-specific rules.

Critical
🔐 Secrets
Critical
💉 SQL Injection
Critical
🗂️ Path Traversal
High
🔑 Auth
High
🔒 Cryptography
High
🌐 XSS
High
🛂 Access Control
High
🌊 SSRF
Medium
📡 Network
Medium
📝 Logging
Medium
🗄️ Database
Medium
📤 Deserialization
Medium
⚙️ Config
Medium
🐚 Command Exec
Medium
📁 File System
Medium
💾 Memory Mgmt
Medium
🧵 Race Condition
Medium
🔌 Injection
Output

Structured output your
CI/CD pipeline can consume.

report/
├── summary.json # Global cross-repo summary
├── summary.md # Human-readable overview
├── results.sarif # SARIF 2.1.0 — GitHub Code Scanning ready
├── security_overview.json # All security findings, aggregated
├── security_overview.md
└── my-repo/
├── status.json # Commit hashes, dirty state
└── diffs/
├── diff_N_vs_N-1.patch
├── summary_N_vs_N-1.json # Extracted elements
└── snippets/
├── 001_validate_token_ADDED.rs
├── 002_check_perms_BEFORE.rs
├── 002_check_perms_AFTER.rs
└── 002_check_perms.diff
🐙 GitHub Code Scanning
🔵 Azure DevOps
🟠 GitLab CI
💻 VS Code SARIF Viewer
⚙️ Any CI/CD via JSON

Get started in 30 seconds

Rust + Git is all you need. No runtime dependencies.

$ git clone https://github.com/Teycir/DiffCatcher.git && cargo build --release
⭐ Star on GitHub
Support Development

Like DiffCatcher? Buy me a coffee ☕

DiffCatcher is free and open source. If it saves you time on code reviews or security audits, consider supporting ongoing development and new features.

0x11282eE5726B3370c8B480e321b3B2aA13686582

ETH & ERC-20 tokens accepted  ·  View on Etherscan ↗