cycode 3.11.6.dev1__tar.gz → 3.12.1__tar.gz

{cycode-3.11.6.dev1 → cycode-3.12.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cycode
-Version: 3.11.6.dev1
+Version: 3.12.1
 Summary: Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning.
 License-Expression: MIT
 License-File: LICENCE
@@ -71,6 +71,7 @@ This guide walks you through both installation and usage.
            4. [Package Vulnerabilities](#package-vulnerabilities-option)
            5. [License Compliance](#license-compliance-option)
            6. [Lock Restore](#lock-restore-option)
+           7. [Stop on Error](#stop-on-error-option)
         2. [Repository Scan](#repository-scan)
             1. [Branch Option](#branch-option)
         3. [Path Scan](#path-scan)
@@ -425,12 +426,22 @@ The MCP server provides the following tools that AI systems can use:
 
 | Tool Name            | Description                                                                                 |
 |----------------------|---------------------------------------------------------------------------------------------|
-| `cycode_secret_scan` | Scan files for hardcoded secrets                                                            |
-| `cycode_sca_scan`    | Scan files for Software Composition Analysis (SCA) - vulnerabilities and license issues     |
-| `cycode_iac_scan`    | Scan files for Infrastructure as Code (IaC) misconfigurations                               |
-| `cycode_sast_scan`   | Scan files for Static Application Security Testing (SAST) - code quality and security flaws |
+| `cycode_secret_scan` | Scan for hardcoded secrets                                                                  |
+| `cycode_sca_scan`    | Scan for Software Composition Analysis (SCA) - vulnerabilities and license issues           |
+| `cycode_iac_scan`    | Scan for Infrastructure as Code (IaC) misconfigurations                                     |
+| `cycode_sast_scan`   | Scan for Static Application Security Testing (SAST) - code quality and security flaws       |
 | `cycode_status`      | Get Cycode CLI version, authentication status, and configuration information                |
 
+Each scan tool accepts two mutually exclusive input modes:
+
+- **`paths`** *(preferred)* — one or more file or directory paths that exist on disk. Directories are scanned recursively. The Cycode engine handles file discovery and filtering, just as `cycode scan -t <type> path ./src` does from the CLI.
+- **`files`** *(fallback)* — a dictionary mapping file paths to their full content as strings. Use this only when the files are not available on disk (e.g. in-memory edits not yet saved).
+
+> [!TIP]
+> Use `paths` whenever possible. Passing large files (like `package-lock.json`) as inline content can exceed token limits and slow down the AI client. With `paths`, the Cycode engine reads files directly from disk.
+
+All scan tools return a JSON object that includes a `"summary"` field with a human-readable violation count (e.g. `"Cycode found 3 violations: 1 CRITICAL, 2 HIGH."`) in addition to the full `"detections"` array.
+
 ### Usage Examples
 
 #### Basic Command Examples
@@ -588,6 +599,26 @@ cycode mcp -t streamable-http -H 127.0.0.2 -p 9000 &
 > [!NOTE]
 > The MCP server requires proper Cycode CLI authentication to function. Make sure you have authenticated using `cycode auth` or configured your credentials before starting the MCP server.
 
+### Pre-authorizing Tools for Subagents (Claude Code)
+
+When Claude Code delegates work to background subagents (e.g. to run scans in parallel), those subagents cannot display interactive permission prompts. If the Cycode tools have not been pre-approved, scans will fail silently in subagent contexts.
+
+To pre-authorize the Cycode MCP tools so they work in all contexts including subagents, add them to the `allowedTools` list in your Claude Code settings (`~/.claude/settings.json`):
+
+```json
+{
+  "allowedTools": [
+    "mcp__cycode__cycode_secret_scan",
+    "mcp__cycode__cycode_sca_scan",
+    "mcp__cycode__cycode_iac_scan",
+    "mcp__cycode__cycode_sast_scan",
+    "mcp__cycode__cycode_status"
+  ]
+}
+```
+
+Once added, Claude Code will not prompt for approval when these tools are called, and they will work correctly inside subagents.
+
 ### Troubleshooting MCP
 
 If you encounter issues with the MCP server, you can enable debug logging to get more detailed information about what's happening. There are two ways to enable debug logging:
@@ -631,6 +662,7 @@ The Cycode CLI application offers several types of scans so that you can choose
 | `--monitor`                                                | When specified, the scan results will be recorded in Cycode.                                                                     |
 | `--cycode-report`                                          | Display a link to the scan report in the Cycode platform in the console output.                                                  |
 | `--no-restore`                                             | When specified, Cycode will not run the restore command. This will scan direct dependencies ONLY!                                |
+| `--stop-on-error`                                          | Abort the scan if any file collection or dependency restore failure occurs, instead of skipping the failed file and continuing.   |
 | `--gradle-all-sub-projects`                                | Run gradle restore command for all sub projects. This should be run from                                                         |
 | `--maven-settings-file`                                    | For Maven only, allows using a custom [settings.xml](https://maven.apache.org/settings.html) file when scanning for dependencies |
 | `--help`                                                   | Show options for given command.                                                                                                  |
@@ -737,6 +769,18 @@ If a lockfile already exists alongside the manifest, Cycode reads it directly wi
 addSbtPlugin("software.purpledragon" % "sbt-dependency-lock" % "1.5.1")
 ```
 
+#### Stop on Error Option
+
+By default, Cycode continues scanning even if a file cannot be read (e.g. due to a permission error) or a dependency lockfile cannot be generated during an SCA scan. The failed item is skipped with a warning and the scan proceeds with the remaining files.
+
+Use `--stop-on-error` to change this behaviour: the scan aborts immediately on the first such failure and reports the error.
+
+```bash
+cycode scan -t sca --stop-on-error path ~/home/git/codebase
+```
+
+This is useful in CI pipelines where a silent failure would produce an incomplete scan result. When `--stop-on-error` is triggered you can either fix the underlying issue or, for SCA restore failures specifically, add `--no-restore` to skip lockfile generation and scan direct dependencies only.
+
 ### Repository Scan
 
 A repository scan examines an entire local repository for any exposed secrets or insecure misconfigurations. This more holistic scan type looks at everything: the current state of your repository and its commit history. It will look not only for secrets that are currently exposed within the repository but previously deleted secrets as well.

{cycode-3.11.6.dev1 → cycode-3.12.1}/README.md

@@ -30,6 +30,7 @@ This guide walks you through both installation and usage.
            4. [Package Vulnerabilities](#package-vulnerabilities-option)
            5. [License Compliance](#license-compliance-option)
            6. [Lock Restore](#lock-restore-option)
+           7. [Stop on Error](#stop-on-error-option)
         2. [Repository Scan](#repository-scan)
             1. [Branch Option](#branch-option)
         3. [Path Scan](#path-scan)
@@ -384,12 +385,22 @@ The MCP server provides the following tools that AI systems can use:
 
 | Tool Name            | Description                                                                                 |
 |----------------------|---------------------------------------------------------------------------------------------|
-| `cycode_secret_scan` | Scan files for hardcoded secrets                                                            |
-| `cycode_sca_scan`    | Scan files for Software Composition Analysis (SCA) - vulnerabilities and license issues     |
-| `cycode_iac_scan`    | Scan files for Infrastructure as Code (IaC) misconfigurations                               |
-| `cycode_sast_scan`   | Scan files for Static Application Security Testing (SAST) - code quality and security flaws |
+| `cycode_secret_scan` | Scan for hardcoded secrets                                                                  |
+| `cycode_sca_scan`    | Scan for Software Composition Analysis (SCA) - vulnerabilities and license issues           |
+| `cycode_iac_scan`    | Scan for Infrastructure as Code (IaC) misconfigurations                                     |
+| `cycode_sast_scan`   | Scan for Static Application Security Testing (SAST) - code quality and security flaws       |
 | `cycode_status`      | Get Cycode CLI version, authentication status, and configuration information                |
 
+Each scan tool accepts two mutually exclusive input modes:
+
+- **`paths`** *(preferred)* — one or more file or directory paths that exist on disk. Directories are scanned recursively. The Cycode engine handles file discovery and filtering, just as `cycode scan -t <type> path ./src` does from the CLI.
+- **`files`** *(fallback)* — a dictionary mapping file paths to their full content as strings. Use this only when the files are not available on disk (e.g. in-memory edits not yet saved).
+
+> [!TIP]
+> Use `paths` whenever possible. Passing large files (like `package-lock.json`) as inline content can exceed token limits and slow down the AI client. With `paths`, the Cycode engine reads files directly from disk.
+
+All scan tools return a JSON object that includes a `"summary"` field with a human-readable violation count (e.g. `"Cycode found 3 violations: 1 CRITICAL, 2 HIGH."`) in addition to the full `"detections"` array.
+
 ### Usage Examples
 
 #### Basic Command Examples
@@ -547,6 +558,26 @@ cycode mcp -t streamable-http -H 127.0.0.2 -p 9000 &
 > [!NOTE]
 > The MCP server requires proper Cycode CLI authentication to function. Make sure you have authenticated using `cycode auth` or configured your credentials before starting the MCP server.
 
+### Pre-authorizing Tools for Subagents (Claude Code)
+
+When Claude Code delegates work to background subagents (e.g. to run scans in parallel), those subagents cannot display interactive permission prompts. If the Cycode tools have not been pre-approved, scans will fail silently in subagent contexts.
+
+To pre-authorize the Cycode MCP tools so they work in all contexts including subagents, add them to the `allowedTools` list in your Claude Code settings (`~/.claude/settings.json`):
+
+```json
+{
+  "allowedTools": [
+    "mcp__cycode__cycode_secret_scan",
+    "mcp__cycode__cycode_sca_scan",
+    "mcp__cycode__cycode_iac_scan",
+    "mcp__cycode__cycode_sast_scan",
+    "mcp__cycode__cycode_status"
+  ]
+}
+```
+
+Once added, Claude Code will not prompt for approval when these tools are called, and they will work correctly inside subagents.
+
 ### Troubleshooting MCP
 
 If you encounter issues with the MCP server, you can enable debug logging to get more detailed information about what's happening. There are two ways to enable debug logging:
@@ -590,6 +621,7 @@ The Cycode CLI application offers several types of scans so that you can choose
 | `--monitor`                                                | When specified, the scan results will be recorded in Cycode.                                                                     |
 | `--cycode-report`                                          | Display a link to the scan report in the Cycode platform in the console output.                                                  |
 | `--no-restore`                                             | When specified, Cycode will not run the restore command. This will scan direct dependencies ONLY!                                |
+| `--stop-on-error`                                          | Abort the scan if any file collection or dependency restore failure occurs, instead of skipping the failed file and continuing.   |
 | `--gradle-all-sub-projects`                                | Run gradle restore command for all sub projects. This should be run from                                                         |
 | `--maven-settings-file`                                    | For Maven only, allows using a custom [settings.xml](https://maven.apache.org/settings.html) file when scanning for dependencies |
 | `--help`                                                   | Show options for given command.                                                                                                  |
@@ -696,6 +728,18 @@ If a lockfile already exists alongside the manifest, Cycode reads it directly wi
 addSbtPlugin("software.purpledragon" % "sbt-dependency-lock" % "1.5.1")
 ```
 
+#### Stop on Error Option
+
+By default, Cycode continues scanning even if a file cannot be read (e.g. due to a permission error) or a dependency lockfile cannot be generated during an SCA scan. The failed item is skipped with a warning and the scan proceeds with the remaining files.
+
+Use `--stop-on-error` to change this behaviour: the scan aborts immediately on the first such failure and reports the error.
+
+```bash
+cycode scan -t sca --stop-on-error path ~/home/git/codebase
+```
+
+This is useful in CI pipelines where a silent failure would produce an incomplete scan result. When `--stop-on-error` is triggered you can either fix the underlying issue or, for SCA restore failures specifically, add `--no-restore` to skip lockfile generation and scan direct dependencies only.
+
 ### Repository Scan
 
 A repository scan examines an entire local repository for any exposed secrets or insecure misconfigurations. This more holistic scan type looks at everything: the current state of your repository and its commit history. It will look not only for secrets that are currently exposed within the repository but previously deleted secrets as well.

cycode-3.12.1/cycode/__init__.py

@@ -0,0 +1 @@
+__version__ = '3.12.1'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag

{cycode-3.11.6.dev1 → cycode-3.12.1}/cycode/cli/apps/mcp/mcp_command.py

@@ -6,7 +6,7 @@ import shutil
 import sys
 import tempfile
 import uuid
-from typing import Annotated, Any
+from typing import Annotated, Any, Optional
 
 import typer
 from pathvalidate import sanitize_filepath
@@ -28,7 +28,25 @@ _logger = get_logger('Cycode MCP')
 
 _DEFAULT_RUN_COMMAND_TIMEOUT = 10 * 60
 
-_FILES_TOOL_FIELD = Field(description='Files to scan, mapping file paths to their content')
+_FILES_TOOL_FIELD = Field(
+    default=None,
+    description=(
+        'Files to scan, mapping file paths to their content. '
+        'Provide either this or "paths". '
+        'Note: for large codebases, prefer "paths" to avoid token overhead.'
+    ),
+)
+_PATHS_TOOL_FIELD = Field(
+    default=None,
+    description=(
+        'Paths to scan — file paths or directory paths that exist on disk. '
+        'Directories are scanned recursively. '
+        'Provide either this or "files". '
+        'Preferred over "files" when the files already exist on disk.'
+    ),
+)
+
+_SEVERITY_ORDER = ('CRITICAL', 'HIGH', 'MEDIUM', 'LOW')
 
 
 def _is_debug_mode() -> bool:
@@ -163,9 +181,9 @@ class _TempFilesManager:
             shutil.rmtree(self.temp_base_dir, ignore_errors=True)
 
 
-async def _run_cycode_scan(scan_type: ScanTypeOption, temp_files: list[str]) -> dict[str, Any]:
+async def _run_cycode_scan(scan_type: ScanTypeOption, paths: list[str]) -> dict[str, Any]:
     """Run cycode scan command and return the result."""
-    return await _run_cycode_command(*['scan', '-t', str(scan_type), 'path', *temp_files])
+    return await _run_cycode_command(*['scan', '-t', str(scan_type), 'path', *paths])
 
 
 async def _run_cycode_status() -> dict[str, Any]:
@@ -173,38 +191,89 @@ async def _run_cycode_status() -> dict[str, Any]:
     return await _run_cycode_command('status')
 
 
-async def _cycode_scan_tool(scan_type: ScanTypeOption, files: dict[str, str] = _FILES_TOOL_FIELD) -> str:
+def _build_scan_summary(result: dict[str, Any]) -> str:
+    """Build a human-readable summary line from a scan result dict.
+
+    Args:
+        result: Parsed JSON scan result from the CLI.
+
+    Returns:
+        A one-line summary string describing what was found.
+    """
+    detections = result.get('detections', [])
+    errors = result.get('errors', [])
+
+    if not detections:
+        if errors:
+            return f'Scan completed with {len(errors)} error(s) and no violations found.'
+        return 'No violations found.'
+
+    total = len(detections)
+    severity_counts: dict[str, int] = {}
+    for d in detections:
+        sev = (d.get('severity') or 'UNKNOWN').upper()
+        severity_counts[sev] = severity_counts.get(sev, 0) + 1
+
+    parts = [f'{severity_counts[s]} {s}' for s in _SEVERITY_ORDER if s in severity_counts]
+    other_keys = [k for k in severity_counts if k not in _SEVERITY_ORDER]
+    parts += [f'{severity_counts[k]} {k}' for k in other_keys]
+
+    label = 'violation' if total == 1 else 'violations'
+    return f'Cycode found {total} {label}: {", ".join(parts)}.'
+
+
+async def _cycode_scan_tool(
+    scan_type: ScanTypeOption,
+    files: Optional[dict[str, str]] = None,
+    paths: Optional[list[str]] = None,
+) -> str:
     _tool_call_id = _gen_random_id()
     _logger.info('Scan tool called, %s', {'scan_type': scan_type, 'call_id': _tool_call_id})
 
-    if not files:
-        _logger.error('No files provided for scan')
-        return json.dumps({'error': 'No files provided'})
+    if not files and not paths:
+        _logger.error('No files or paths provided for scan')
+        return json.dumps(
+            {'error': 'No files or paths provided. Pass file contents via "files" or disk paths via "paths".'}
+        )
 
     try:
-        with _TempFilesManager(files, _tool_call_id) as temp_files:
-            original_count = len(files)
-            processed_count = len(temp_files)
-
-            if processed_count < original_count:
-                _logger.warning(
-                    'Some files were rejected during sanitization, %s',
-                    {
-                        'scan_type': scan_type,
-                        'original_count': original_count,
-                        'processed_count': processed_count,
-                        'call_id': _tool_call_id,
-                    },
-                )
+        if paths:
+            missing = [p for p in paths if not os.path.exists(p)]
+            if missing:
+                return json.dumps({'error': f'Paths not found on disk: {missing}'}, indent=2)
 
             _logger.info(
-                'Running Cycode scan, %s',
-                {'scan_type': scan_type, 'files_count': processed_count, 'call_id': _tool_call_id},
+                'Running Cycode scan (path-based), %s',
+                {'scan_type': scan_type, 'paths': paths, 'call_id': _tool_call_id},
             )
-            result = await _run_cycode_scan(scan_type, temp_files)
+            result = await _run_cycode_scan(scan_type, paths)
+        else:
+            with _TempFilesManager(files, _tool_call_id) as temp_files:
+                original_count = len(files)
+                processed_count = len(temp_files)
+
+                if processed_count < original_count:
+                    _logger.warning(
+                        'Some files were rejected during sanitization, %s',
+                        {
+                            'scan_type': scan_type,
+                            'original_count': original_count,
+                            'processed_count': processed_count,
+                            'call_id': _tool_call_id,
+                        },
+                    )
+
+                _logger.info(
+                    'Running Cycode scan (files-based), %s',
+                    {'scan_type': scan_type, 'files_count': processed_count, 'call_id': _tool_call_id},
+                )
+                result = await _run_cycode_scan(scan_type, temp_files)
 
-            _logger.info('Scan completed, %s', {'scan_type': scan_type, 'call_id': _tool_call_id})
-            return json.dumps(result, indent=2)
+        if 'error' not in result:
+            result['summary'] = _build_scan_summary(result)
+
+        _logger.info('Scan completed, %s', {'scan_type': scan_type, 'call_id': _tool_call_id})
+        return json.dumps(result, indent=2)
     except ValueError as e:
         _logger.error('Invalid input files, %s', {'scan_type': scan_type, 'call_id': _tool_call_id, 'error': str(e)})
         return json.dumps({'error': f'Invalid input files: {e!s}'}, indent=2)
@@ -213,8 +282,11 @@ async def _cycode_scan_tool(scan_type: ScanTypeOption, files: dict[str, str] = _
         return json.dumps({'error': f'Scan failed: {e!s}'}, indent=2)
 
 
-async def cycode_secret_scan(files: dict[str, str] = _FILES_TOOL_FIELD) -> str:
-    """Scan files for hardcoded secrets.
+async def cycode_secret_scan(
+    paths: Optional[list[str]] = _PATHS_TOOL_FIELD,
+    files: Optional[dict[str, str]] = _FILES_TOOL_FIELD,
+) -> str:
+    """Scan for hardcoded secrets.
 
     Use this tool when you need to:
       - scan code for hardcoded secrets, API keys, passwords, tokens
@@ -222,16 +294,20 @@ async def cycode_secret_scan(files: dict[str, str] = _FILES_TOOL_FIELD) -> str:
       - detect potential security vulnerabilities from secret exposure
 
     Args:
-        files: Dictionary mapping file paths to their content
+        paths: File or directory paths on disk to scan (preferred). Directories are scanned recursively.
+        files: Dictionary mapping file paths to their content (fallback when files are not on disk).
 
     Returns:
-        JSON string containing scan results and any secrets found
+        JSON string with a "summary" field (human-readable violation count) plus full scan results.
     """
-    return await _cycode_scan_tool(ScanTypeOption.SECRET, files)
+    return await _cycode_scan_tool(ScanTypeOption.SECRET, files=files, paths=paths)
 
 
-async def cycode_sca_scan(files: dict[str, str] = _FILES_TOOL_FIELD) -> str:
-    """Scan files for Software Composition Analysis (SCA) - vulnerabilities and license issues.
+async def cycode_sca_scan(
+    paths: Optional[list[str]] = _PATHS_TOOL_FIELD,
+    files: Optional[dict[str, str]] = _FILES_TOOL_FIELD,
+) -> str:
+    """Scan for Software Composition Analysis (SCA) - vulnerabilities and license issues.
 
     Use this tool when you need to:
       - scan dependencies for known security vulnerabilities
@@ -242,19 +318,24 @@ async def cycode_sca_scan(files: dict[str, str] = _FILES_TOOL_FIELD) -> str:
 
     Important:
         You must also include lock files (like package-lock.json, Pipfile.lock, etc.) to get accurate results.
-        You must provide manifest and lock files together.
+        When using "paths", pass the directory containing both manifest and lock files.
+        When using "files", provide both manifest and lock files together.
 
     Args:
-        files: Dictionary mapping file paths to their content
+        paths: File or directory paths on disk to scan (preferred). Directories are scanned recursively.
+        files: Dictionary mapping file paths to their content (fallback when files are not on disk).
 
     Returns:
-        JSON string containing scan results, vulnerabilities, and license issues found
+        JSON string with a "summary" field (human-readable violation count) plus full scan results.
     """
-    return await _cycode_scan_tool(ScanTypeOption.SCA, files)
+    return await _cycode_scan_tool(ScanTypeOption.SCA, files=files, paths=paths)
 
 
-async def cycode_iac_scan(files: dict[str, str] = _FILES_TOOL_FIELD) -> str:
-    """Scan files for Infrastructure as Code (IaC) misconfigurations.
+async def cycode_iac_scan(
+    paths: Optional[list[str]] = _PATHS_TOOL_FIELD,
+    files: Optional[dict[str, str]] = _FILES_TOOL_FIELD,
+) -> str:
+    """Scan for Infrastructure as Code (IaC) misconfigurations.
 
     Use this tool when you need to:
       - scan Terraform, CloudFormation, Kubernetes YAML files
@@ -264,16 +345,20 @@ async def cycode_iac_scan(files: dict[str, str] = _FILES_TOOL_FIELD) -> str:
       - review Docker files for security issues
 
     Args:
-        files: Dictionary mapping file paths to their content
+        paths: File or directory paths on disk to scan (preferred). Directories are scanned recursively.
+        files: Dictionary mapping file paths to their content (fallback when files are not on disk).
 
     Returns:
-        JSON string containing scan results and any misconfigurations found
+        JSON string with a "summary" field (human-readable violation count) plus full scan results.
     """
-    return await _cycode_scan_tool(ScanTypeOption.IAC, files)
+    return await _cycode_scan_tool(ScanTypeOption.IAC, files=files, paths=paths)
 
 
-async def cycode_sast_scan(files: dict[str, str] = _FILES_TOOL_FIELD) -> str:
-    """Scan files for Static Application Security Testing (SAST) - code quality and security flaws.
+async def cycode_sast_scan(
+    paths: Optional[list[str]] = _PATHS_TOOL_FIELD,
+    files: Optional[dict[str, str]] = _FILES_TOOL_FIELD,
+) -> str:
+    """Scan for Static Application Security Testing (SAST) - code quality and security flaws.
 
     Use this tool when you need to:
       - scan source code for security vulnerabilities
@@ -283,12 +368,13 @@ async def cycode_sast_scan(files: dict[str, str] = _FILES_TOOL_FIELD) -> str:
       - find SQL injection, XSS, and other application security issues
 
     Args:
-        files: Dictionary mapping file paths to their content
+        paths: File or directory paths on disk to scan (preferred). Directories are scanned recursively.
+        files: Dictionary mapping file paths to their content (fallback when files are not on disk).
 
     Returns:
-        JSON string containing scan results and any security flaws found
+        JSON string with a "summary" field (human-readable violation count) plus full scan results.
     """
-    return await _cycode_scan_tool(ScanTypeOption.SAST, files)
+    return await _cycode_scan_tool(ScanTypeOption.SAST, files=files, paths=paths)
 
 
 async def cycode_status() -> str:

{cycode-3.11.6.dev1 → cycode-3.12.1}/cycode/cli/apps/report/sbom/path/path_command.py

@@ -10,6 +10,7 @@ from cycode.cli.apps.sca_options import (
     GradleAllSubProjectsOption,
     MavenSettingsFileOption,
     NoRestoreOption,
+    StopOnErrorOption,
     apply_sca_restore_options_to_context,
 )
 from cycode.cli.exceptions.handle_report_sbom_errors import handle_report_exception
@@ -30,8 +31,9 @@ def path_command(
     no_restore: NoRestoreOption = False,
     gradle_all_sub_projects: GradleAllSubProjectsOption = False,
     maven_settings_file: MavenSettingsFileOption = None,
+    stop_on_error: StopOnErrorOption = False,
 ) -> None:
-    apply_sca_restore_options_to_context(ctx, no_restore, gradle_all_sub_projects, maven_settings_file)
+    apply_sca_restore_options_to_context(ctx, no_restore, gradle_all_sub_projects, maven_settings_file, stop_on_error)
 
     client = get_report_cycode_client(ctx)
     report_parameters = ctx.obj['report_parameters']
@@ -51,6 +53,7 @@ def path_command(
             consts.SCA_SCAN_TYPE,
             (str(path),),
             is_cycodeignore_allowed=is_cycodeignore_allowed_by_scan_config(ctx),
+            stop_on_error=stop_on_error,
         )
         # TODO(MarshalX): combine perform_pre_scan_documents_actions with get_relevant_document.
         #  unhardcode usage of context in perform_pre_scan_documents_actions

{cycode-3.11.6.dev1 → cycode-3.12.1}/cycode/cli/apps/sca_options.py

@@ -35,13 +35,24 @@ MavenSettingsFileOption = Annotated[
     ),
 ]
 
+StopOnErrorOption = Annotated[
+    bool,
+    typer.Option(
+        '--stop-on-error',
+        help='When specified, stops the process if any file collection or restore failure occurs.',
+        rich_help_panel=_SCA_RICH_HELP_PANEL,
+    ),
+]
+
 
 def apply_sca_restore_options_to_context(
     ctx: typer.Context,
     no_restore: bool,
     gradle_all_sub_projects: bool,
     maven_settings_file: Optional[Path],
+    stop_on_error: bool = False,
 ) -> None:
     ctx.obj['no_restore'] = no_restore
     ctx.obj['gradle_all_sub_projects'] = gradle_all_sub_projects
     ctx.obj['maven_settings_file'] = maven_settings_file
+    ctx.obj['stop_on_error'] = stop_on_error

{cycode-3.11.6.dev1 → cycode-3.12.1}/cycode/cli/apps/scan/code_scanner.py

@@ -58,6 +58,7 @@ def scan_disk_files(ctx: typer.Context, paths: tuple[str, ...]) -> None:
             scan_type,
             paths,
             is_cycodeignore_allowed=is_cycodeignore_allowed_by_scan_config(ctx),
+            stop_on_error=ctx.obj.get('stop_on_error', False),
         )
 
         # Add entrypoint.cycode file at root path to mark the scan root (only for single path that is a directory)

{cycode-3.11.6.dev1 → cycode-3.12.1}/cycode/cli/apps/scan/scan_command.py

@@ -41,6 +41,13 @@ def scan_command(
     soft_fail: Annotated[
         bool, typer.Option('--soft-fail', help='Run the scan without failing; always return a non-error status code.')
     ] = False,
+    stop_on_error: Annotated[
+        bool,
+        typer.Option(
+            '--stop-on-error',
+            help='When specified, stops the scan if any file collection or restore failure occurs.',
+        ),
+    ] = False,
     severity_threshold: Annotated[
         SeverityOption,
         typer.Option(
@@ -131,6 +138,7 @@ def scan_command(
 
     ctx.obj['show_secret'] = show_secret
     ctx.obj['soft_fail'] = soft_fail
+    ctx.obj['stop_on_error'] = stop_on_error
     ctx.obj['scan_type'] = scan_type
     ctx.obj['sync'] = sync
     ctx.obj['severity_threshold'] = severity_threshold

{cycode-3.11.6.dev1 → cycode-3.12.1}/cycode/cli/exceptions/custom_exceptions.py

@@ -64,6 +64,15 @@ class ZipTooLargeError(CycodeError):
         return f'The size of zip to scan is too large, size limit: {self.size_limit}'
 
 
+class FileCollectionError(CycodeError):
+    def __init__(self, error_message: str) -> None:
+        self.error_message = error_message
+        super().__init__(self.error_message)
+
+    def __str__(self) -> str:
+        return self.error_message
+
+
 class AuthProcessError(CycodeError):
     def __init__(self, error_message: str) -> None:
         self.error_message = error_message

{cycode-3.11.6.dev1 → cycode-3.12.1}/cycode/cli/exceptions/handle_scan_errors.py

@@ -26,6 +26,12 @@ def handle_scan_exception(ctx: typer.Context, err: Exception, *, return_exceptio
             'Please try ignoring irrelevant paths using the `cycode ignore --by-path` command '
             'and execute the scan again',
         ),
+        custom_exceptions.FileCollectionError: CliError(
+            soft_fail=False,
+            code='file_collection_error',
+            message='File collection failed. '
+            'Use --no-restore to skip dependency restoration, or fix the underlying issue.',
+        ),
         custom_exceptions.TfplanKeyError: CliError(
             soft_fail=True,
             code='key_error',

{cycode-3.11.6.dev1 → cycode-3.12.1}/cycode/cli/files_collector/path_documents.py

@@ -2,6 +2,7 @@ import os
 from collections.abc import Generator
 from typing import TYPE_CHECKING
 
+from cycode.cli.exceptions.custom_exceptions import FileCollectionError
 from cycode.cli.files_collector.file_excluder import excluder
 from cycode.cli.files_collector.iac.tf_content_generator import (
     generate_tf_content_from_tfplan,
@@ -109,6 +110,7 @@ def get_relevant_documents(
     *,
     is_git_diff: bool = False,
     is_cycodeignore_allowed: bool = True,
+    stop_on_error: bool = False,
 ) -> list[Document]:
     relevant_files = _get_relevant_files(
         progress_bar, progress_bar_section, scan_type, paths, is_cycodeignore_allowed=is_cycodeignore_allowed
@@ -119,6 +121,10 @@ def get_relevant_documents(
         progress_bar.update(progress_bar_section)
 
         content = get_file_content(file)
+        if content is None:
+            if stop_on_error:
+                raise FileCollectionError(f'Failed to read file: {file}')
+            continue
         if not content:
             continue
 

{cycode-3.11.6.dev1 → cycode-3.12.1}/cycode/cli/files_collector/sca/sca_file_collector.py

@@ -4,6 +4,7 @@ from typing import TYPE_CHECKING, Optional
 import typer
 
 from cycode.cli import consts
+from cycode.cli.exceptions.custom_exceptions import FileCollectionError
 from cycode.cli.files_collector.repository_documents import get_file_content_from_commit_path
 from cycode.cli.files_collector.sca.base_restore_dependencies import BaseRestoreDependencies
 from cycode.cli.files_collector.sca.go.restore_go_dependencies import RestoreGoDependencies
@@ -116,6 +117,10 @@ def _try_restore_dependencies(
             'Error occurred while trying to generate dependencies tree, %s',
             {'filename': document.path, 'handler': type(restore_dependencies).__name__},
         )
+        if ctx.obj.get('stop_on_error', False):
+            raise FileCollectionError(
+                f'Failed to generate dependencies tree for {document.path} using {type(restore_dependencies).__name__}'
+            )
         return None
 
     if restore_dependencies_document.content is None:

{cycode-3.11.6.dev1 → cycode-3.12.1}/pyproject.toml

@@ -21,7 +21,7 @@ classifiers = [
     "Programming Language :: Python :: 3.14",
 ]
 dynamic = ["dependencies"]
-version = "3.11.6.dev1"
+version = "3.12.1"
 
 [project.scripts]
 cycode = "cycode.cli.app:app"

cycode-3.11.6.dev1/cycode/__init__.py

@@ -1 +0,0 @@
-__version__ = '3.11.6.dev1'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag