socket 1.1.38 → 1.1.39

package/CHANGELOG.md

@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.39](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.39) - 2025-12-01
+
+### Added
+- Added the `--output <scan-report.json>` flag to `socket scan reach`.
+
+### Changed
+- Updated the Coana CLI to v `14.12.107`.
+
 ## [1.1.38](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.38) - 2025-11-26
 
 ### Changed

package/dist/cli.js

@@ -1559,6 +1559,7 @@ async function performReachabilityAnalysis(options) {
     branchName,
     cwd = process.cwd(),
     orgSlug,
+    outputPath,
     packagePaths,
     reachabilityOptions,
     repoName,
@@ -1638,9 +1639,9 @@ async function performReachabilityAnalysis(options) {
   }
   spinner?.start();
   spinner?.infoAndStop('Running reachability analysis with Coana...');
-
+  const outputFilePath = outputPath || constants.default.DOT_SOCKET_DOT_FACTS_JSON;
   // Build Coana arguments.
-  const coanaArgs = ['run', analysisTarget, '--output-dir', cwd, '--socket-mode', constants.default.DOT_SOCKET_DOT_FACTS_JSON, '--disable-report-submission', ...(reachabilityOptions.reachAnalysisTimeout ? ['--analysis-timeout', `${reachabilityOptions.reachAnalysisTimeout}`] : []), ...(reachabilityOptions.reachAnalysisMemoryLimit ? ['--memory-limit', `${reachabilityOptions.reachAnalysisMemoryLimit}`] : []), ...(reachabilityOptions.reachConcurrency ? ['--concurrency', `${reachabilityOptions.reachConcurrency}`] : []), ...(reachabilityOptions.reachDebug ? ['--debug'] : []), ...(reachabilityOptions.reachDisableAnalytics ? ['--disable-analytics-sharing'] : []), ...(reachabilityOptions.reachDisableAnalysisSplitting ? ['--disable-analysis-splitting'] : []), ...(tarHash ? ['--run-without-docker', '--manifests-tar-hash', tarHash] : []),
+  const coanaArgs = ['run', analysisTarget, '--output-dir', path.dirname(outputFilePath), '--socket-mode', outputFilePath, '--disable-report-submission', ...(reachabilityOptions.reachAnalysisTimeout ? ['--analysis-timeout', `${reachabilityOptions.reachAnalysisTimeout}`] : []), ...(reachabilityOptions.reachAnalysisMemoryLimit ? ['--memory-limit', `${reachabilityOptions.reachAnalysisMemoryLimit}`] : []), ...(reachabilityOptions.reachConcurrency ? ['--concurrency', `${reachabilityOptions.reachConcurrency}`] : []), ...(reachabilityOptions.reachDebug ? ['--debug'] : []), ...(reachabilityOptions.reachDisableAnalytics ? ['--disable-analytics-sharing'] : []), ...(reachabilityOptions.reachDisableAnalysisSplitting ? ['--disable-analysis-splitting'] : []), ...(tarHash ? ['--run-without-docker', '--manifests-tar-hash', tarHash] : []),
   // Empty reachEcosystems implies scanning all ecosystems.
   ...(reachabilityOptions.reachEcosystems.length ? ['--purl-types', ...reachabilityOptions.reachEcosystems] : []), ...(reachabilityOptions.reachExcludePaths.length ? ['--exclude-dirs', ...reachabilityOptions.reachExcludePaths] : []), ...(reachabilityOptions.reachSkipCache ? ['--skip-cache-usage'] : [])];
 
@@ -1668,9 +1669,9 @@ async function performReachabilityAnalysis(options) {
   return coanaResult.ok ? {
     ok: true,
     data: {
-      // Use the DOT_SOCKET_DOT_FACTS_JSON file for the scan.
-      reachabilityReport: constants.default.DOT_SOCKET_DOT_FACTS_JSON,
-      tier1ReachabilityScanId: utils.extractTier1ReachabilityScanId(constants.default.DOT_SOCKET_DOT_FACTS_JSON)
+      // Use the actual output filename for the scan.
+      reachabilityReport: outputFilePath,
+      tier1ReachabilityScanId: utils.extractTier1ReachabilityScanId(outputFilePath)
     }
   } : coanaResult;
 }
@@ -13336,8 +13337,8 @@ async function run$8(argv, importMeta, {
 }
 
 async function outputScanReach(result, {
-  cwd,
-  outputKind
+  outputKind,
+  outputPath
 }) {
   if (!result.ok) {
     process.exitCode = result.code ?? 1;
@@ -13350,9 +13351,10 @@ async function outputScanReach(result, {
     logger.logger.fail(utils.failMsgWithBadge(result.message, result.cause));
     return;
   }
+  const actualOutputPath = outputPath || constants.default.DOT_SOCKET_DOT_FACTS_JSON;
   logger.logger.log('');
   logger.logger.success('Reachability analysis completed successfully!');
-  logger.logger.info(`Reachability report has been written to: ${path.join(cwd, constants.default.DOT_SOCKET_DOT_FACTS_JSON)}`);
+  logger.logger.info(`Reachability report has been written to: ${actualOutputPath}`);
 }
 
 async function handleScanReach({
@@ -13360,6 +13362,7 @@ async function handleScanReach({
   interactive: _interactive,
   orgSlug,
   outputKind,
+  outputPath,
   reachabilityOptions,
   targets
 }) {
@@ -13373,8 +13376,8 @@ async function handleScanReach({
   });
   if (!supportedFilesCResult.ok) {
     await outputScanReach(supportedFilesCResult, {
-      cwd,
-      outputKind
+      outputKind,
+      outputPath
     });
     return;
   }
@@ -13398,6 +13401,7 @@ async function handleScanReach({
   const result = await performReachabilityAnalysis({
     cwd,
     orgSlug,
+    outputPath,
     packagePaths,
     reachabilityOptions,
     spinner,
@@ -13406,8 +13410,8 @@ async function handleScanReach({
   });
   spinner.stop();
   await outputScanReach(result, {
-    cwd,
-    outputKind
+    outputKind,
+    outputPath
   });
 }
 
@@ -13426,6 +13430,12 @@ const generalFlags = {
     type: 'string',
     default: '',
     description: 'Force override the organization slug, overrides the default org from config'
+  },
+  output: {
+    type: 'string',
+    default: '',
+    description: 'Path to write the reachability report to (must end with .json). Defaults to .socket.facts.json in the current working directory.',
+    shortFlag: 'o'
   }
 };
 const cmdScanReach = {
@@ -13458,7 +13468,8 @@ async function run$7(argv, importMeta, {
       ${utils.getFlagListOutput(reachabilityFlags)}
 
     Runs the Socket reachability analysis without creating a scan in Socket.
-    The output is written to .socket.facts.json in the current working directory.
+    The output is written to .socket.facts.json in the current working directory
+    unless the --output flag is specified.
 
     Note: Manifest files are uploaded to Socket's backend services because the
     reachability analysis requires creating a Software Bill of Materials (SBOM)
@@ -13468,6 +13479,8 @@ async function run$7(argv, importMeta, {
       $ ${command}
       $ ${command} ./proj
       $ ${command} ./proj --reach-ecosystems npm,pypi
+      $ ${command} --output custom-report.json
+      $ ${command} ./proj --output ./reports/analysis.json
   `
   };
   const cli = utils.meowOrExit({
@@ -13482,6 +13495,7 @@ async function run$7(argv, importMeta, {
     json,
     markdown,
     org: orgFlag,
+    output: outputPath,
     reachAnalysisMemoryLimit,
     reachAnalysisTimeout,
     reachConcurrency,
@@ -13538,6 +13552,11 @@ async function run$7(argv, importMeta, {
     test: !json || !markdown,
     message: 'The json and markdown flags cannot be both set, pick one',
     fail: 'omit one'
+  }, {
+    nook: true,
+    test: !outputPath || outputPath.endsWith('.json'),
+    message: 'The --output path must end with .json',
+    fail: 'use a path ending with .json'
   }, {
     nook: true,
     test: targetValidation.isValid,
@@ -13568,10 +13587,10 @@ async function run$7(argv, importMeta, {
   }
   await handleScanReach({
     cwd,
+    interactive,
     orgSlug,
     outputKind,
-    targets,
-    interactive,
+    outputPath: outputPath || '',
     reachabilityOptions: {
       reachAnalysisTimeout: Number(reachAnalysisTimeout),
       reachAnalysisMemoryLimit: Number(reachAnalysisMemoryLimit),
@@ -13582,7 +13601,8 @@ async function run$7(argv, importMeta, {
       reachEcosystems,
       reachExcludePaths,
       reachSkipCache: Boolean(reachSkipCache)
-    }
+    },
+    targets
   });
 }
 
@@ -15419,5 +15439,5 @@ void (async () => {
     await utils.captureException(e);
   }
 })();
-//# debugId=39010d7c-ef10-4b4e-b008-38ac722e7d5d
+//# debugId=8693f005-3cc6-4712-ba1e-c0aa7f093c42
 //# sourceMappingURL=cli.js.map