diff --git a/.github/workflows/security-guardian.yml b/.github/workflows/security-guardian.yml
index eeaaabd44fbc9..a4a09524af414 100644
--- a/.github/workflows/security-guardian.yml
+++ b/.github/workflows/security-guardian.yml
@@ -16,18 +16,19 @@ jobs:
         run: |
           echo "Getting changed CloudFormation templates..."
           mkdir -p changed_templates
-
-          git fetch origin main --depth=1
-
+      
           base_sha="${{ github.event.pull_request.base.sha }}"
           head_sha="${{ github.event.pull_request.head.sha }}"
-          if [[ -z "$base_sha" ]]; then base_sha=$(git merge-base origin/main HEAD); fi
-          if [[ -z "$head_sha" ]]; then head_sha=HEAD; fi
-
-          git diff --name-status "$base_sha" "$head_sha" \
+      
+          git fetch origin main --depth=1
+          git fetch origin pull/${{ github.event.pull_request.number }}/head:pr
+      
+          git checkout pr
+      
+          git diff --name-status "$base_sha" pr \
             | grep -E '^(A|M)\s+.*\.template\.json$' \
             | awk '{print $2}' > changed_files.txt || true
-
+      
           while IFS= read -r file; do
             if [ -f "$file" ]; then
               safe_name=$(echo "$file" | sed 's|/|_|g')
@@ -36,12 +37,13 @@ jobs:
               echo "::warning::Changed file not found in workspace: $file"
             fi
           done < changed_files.txt
-
+      
           if [ -s changed_files.txt ]; then
             echo "files_changed=true" >> $GITHUB_OUTPUT
           else
             echo "files_changed=false" >> $GITHUB_OUTPUT
           fi
+        
   
       - name: Install cfn-guard
         if: steps.filter_files.outputs.files_changed == 'true'