snyk · andrewrobinsonhodges-snyk · Nov 19, 2025 · Nov 19, 2025
@@ -87,7 +87,8 @@ func (sc *DelegatingConcurrentScanner) scanBaseBranch(ctx context.Context, s typ
 	if s.Product() == product.ProductCode {
 		results, err = s.Scan(ctx, "", baseFolderPath, folderConfig)
 	} else {
-		sc.populateOrgForScannedFolderConfig(baseFolderPath, folderConfig)
+		// Ensure that we are using the correct org for the scanned folder config
+		sc.populateOrgForScannedFolderConfig(sc.c, baseFolderPath, folderConfig)
 		results, err = s.Scan(ctx, baseFolderPath, "", folderConfig)
 	}
 	if err != nil {
@@ -100,17 +101,25 @@ func (sc *DelegatingConcurrentScanner) scanBaseBranch(ctx context.Context, s typ
 	return nil
 }
 
-func (sc *DelegatingConcurrentScanner) populateOrgForScannedFolderConfig(path types.FilePath, folderConfig *types.FolderConfig) {
-	c := config.CurrentConfig()
+// populateOrgForScannedFolderConfig creates a folder config for the scanned folder if it doesn't exist and populates
+// the org settings from the working directory folder config.
+// In delta scans, base branches might not have a folderConfig in storage, so the base scan would run using the default
+// org. This ensures we use the same org as for the working directory scans so that we can compare the results.
+func (sc *DelegatingConcurrentScanner) populateOrgForScannedFolderConfig(c *config.Config, path types.FilePath, folderConfig *types.FolderConfig) {
 	logger := c.Logger().With().Str("method", "populateOrgForScannedFolderConfig").Logger()
-	scannedFolderConfig, _ := storedconfig.GetFolderConfigWithOptions(c.Engine().GetConfiguration(), path, c.Logger(), storedconfig.GetFolderConfigOptions{
+	scannedFolderConfig, err := storedconfig.GetFolderConfigWithOptions(c.Engine().GetConfiguration(), path, c.Logger(), storedconfig.GetFolderConfigOptions{
 		CreateIfNotExist: false,
-		ReadOnly:         false,
+		ReadOnly:         true,
 		EnrichFromGit:    false,
 	})
 
+	if err != nil {
+		logger.Warn().Err(err).Str("path", string(path)).Msg("failed to get folder config for scanned directory")
+	}
+
 	if scannedFolderConfig == nil {
 		// Create a new folder config and copy the organization settings from the working directory folder config
+		logger.Debug().Str("path", string(path)).Msg("creating new folder config for scanned directory")
 		scannedFolderConfig = c.FolderConfig(path)
 		scannedFolderConfig.OrgMigratedFromGlobalConfig = folderConfig.OrgMigratedFromGlobalConfig
 		scannedFolderConfig.OrgSetByUser = folderConfig.OrgSetByUser

@@ -47,8 +47,8 @@ func NewExtensionExecutor(c *config.Config) Executor {
 }
 
 func (c ExtensionExecutor) Execute(ctx context.Context, cmd []string, workingDir types.FilePath) (resp []byte, err error) {
-	method := "ExtensionExecutor.Execute"
-	c.c.Logger().Debug().Str("method", method).Interface("cmd", cmd[1:]).Str("workingDir", string(workingDir)).Msg("calling legacycli extension")
+	logger := c.c.Logger().With().Str("method", "ExtensionExecutor.Execute").Logger()
+	logger.Debug().Interface("cmd", cmd[1:]).Str("workingDir", string(workingDir)).Msg("calling legacycli extension")
 
 	// set deadline to handle CLI hanging when obtaining semaphore
 	ctx, cancel := context.WithDeadline(ctx, time.Now().Add(c.cliTimeout))
@@ -63,12 +63,12 @@ func (c ExtensionExecutor) Execute(ctx context.Context, cmd []string, workingDir
 	}
 
 	output, err := c.doExecute(ctx, cmd, workingDir)
-	c.c.Logger().Trace().Str("method", method).Str("response", string(output))
+	logger.Trace().Str("response", string(output))
 	return output, err
 }
 
 func (c ExtensionExecutor) doExecute(ctx context.Context, cmd []string, workingDir types.FilePath) ([]byte, error) {
-	method := "ExtensionExecutor.doExecute"
+	logger := c.c.Logger().With().Str("method", "ExtensionExecutor.doExecute").Logger()
 	err := c.c.WaitForDefaultEnv(ctx)
 	if err != nil {
 		return []byte{}, err
@@ -88,7 +88,7 @@ func (c ExtensionExecutor) doExecute(ctx context.Context, cmd []string, workingD
 		if folderOrg != "" {
 			resolvedFolderOrg, resolveErr := c.c.ResolveOrgToUUID(folderOrg)
 			if resolveErr != nil {
-				c.c.Logger().Warn().Err(err).Str("method", method).Str("folderOrg", folderOrg).Msg("failed to resolve folder organization to UUID, falling back to global organization")
+				logger.Warn().Err(resolveErr).Str("folderOrg", folderOrg).Msg("failed to resolve folder organization to UUID, falling back to global organization")
 				legacyCLIConfig.Set(configuration.ORGANIZATION, c.c.Organization())
 			} else {
 				legacyCLIConfig.Set(configuration.ORGANIZATION, resolvedFolderOrg)

@@ -335,6 +335,7 @@ func Test_ExtensionExecutor_SubstitutesOrgInCommandArgs(t *testing.T) {
 
 	// Verify the org flag was added to the command args
 	assert.Contains(t, capturedArgs, "--org="+folderOrgUUID, "Command args should contain folder org flag")
+	assert.NotContains(t, capturedArgs, "--org="+globalOrgUUID, "Command args should not contain global org flag")
 }
 
 func Test_ExtensionExecutor_FallsBackToGlobalOrgOnResolutionFailure(t *testing.T) {
@@ -358,7 +359,6 @@ func Test_ExtensionExecutor_FallsBackToGlobalOrgOnResolutionFailure(t *testing.T
 	err := storedconfig.UpdateFolderConfig(c.Engine().GetConfiguration(), storedCfg, c.Logger())
 	require.NoError(t, err)
 
-	// Test - the resolution will fail because we don't have a real API connection
 	capturedOrg, _ := executeAndCaptureConfig(t, c, []string{"snyk", "test"}, folderPath)
 
 	// Verify we fell back to global org when resolution failed

@@ -98,7 +98,7 @@ func (iac *Scanner) SupportedCommands() []types.CommandName {
 	return []types.CommandName{}
 }
 
-func (iac *Scanner) Scan(ctx context.Context, path types.FilePath, _ types.FilePath, folderConfig *types.FolderConfig) (issues []types.Issue, err error) {
+func (iac *Scanner) Scan(ctx context.Context, path types.FilePath, _ types.FilePath, _ *types.FolderConfig) (issues []types.Issue, err error) {
 	c := config.CurrentConfig()
 	logger := c.Logger().With().Str("method", "iac.Scan").Logger()
 	if !c.NonEmptyToken() {