Finding a vulnerability by looking at the diff that fixed it is very different than just looking through the code.

They're saying to do that scan to every diff before release, to see if it finds anything.

	▲	riknos314 28 minutes ago \| parent [-]
		I believe their point was that: "How likely is this diff a patch for an existing vulnerability?" Seems to be an easier question to answer than "Are there any new vulnerabilities introduced by this diff?" In other words identifying that a patch is for a vulnerability is typically easier than finding the vulnerability in the first place.