socketsecurity 2.1.35__tar.gz → 2.2.2__tar.gz

{socketsecurity-2.1.35 → socketsecurity-2.2.2}/.github/workflows/docker-stable.yml

@@ -21,18 +21,18 @@ jobs:
           fi
           echo "Version ${{ inputs.version }} found on PyPI - proceeding with release"
 
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Login to Docker Hub with Organization Token
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
       - name: Build & Push Stable Docker
         uses: docker/build-push-action@v5
         with:
@@ -40,4 +40,5 @@ jobs:
           platforms: linux/amd64,linux/arm64
           tags: socketdev/cli:stable
           build-args: |
-            CLI_VERSION=${{ inputs.version }}
+            CLI_VERSION=${{ inputs.version }}
+            

{socketsecurity-2.1.35 → socketsecurity-2.2.2}/.github/workflows/pr-preview.yml

@@ -119,19 +119,19 @@ jobs:
           echo "success=false" >> $GITHUB_OUTPUT
           exit 1
 
-      - name: Login to Docker Hub
-        if: steps.verify_package.outputs.success == 'true'
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Login to Docker Hub with Organization Token
+        if: steps.verify_package.outputs.success == 'true'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
       - name: Build & Push Docker Preview
         if: steps.verify_package.outputs.success == 'true'
         uses: docker/build-push-action@v5

{socketsecurity-2.1.35 → socketsecurity-2.2.2}/.github/workflows/release.yml

@@ -68,18 +68,18 @@ jobs:
         if: steps.version_check.outputs.pypi_exists != 'true'
         uses: pypa/gh-action-pypi-publish@v1.12.4
 
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Login to Docker Hub with Organization Token
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
       - name: Verify package is installable
         id: verify_package
         env:

{socketsecurity-2.1.35 → socketsecurity-2.2.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: socketsecurity
-Version: 2.1.35
+Version: 2.2.2
 Summary: Socket Security CLI for CI/CD
 Project-URL: Homepage, https://socket.dev
 Author-email: Douglas Coburn <douglas@socket.dev>
@@ -39,7 +39,7 @@ Requires-Dist: packaging
 Requires-Dist: prettytable
 Requires-Dist: python-dotenv
 Requires-Dist: requests
-Requires-Dist: socket-sdk-python<3,>=2.1.5
+Requires-Dist: socket-sdk-python<3,>=2.1.8
 Provides-Extra: dev
 Requires-Dist: hatch; extra == 'dev'
 Requires-Dist: pip-tools>=7.4.0; extra == 'dev'
@@ -172,6 +172,7 @@ If you don't want to provide the Socket API Token every time then you can use th
 |:-------------------------|:---------|:--------|:----------------------------------------------------------------------|
 | --ignore-commit-files    | False    | False   | Ignore commit files                                                   |
 | --disable-blocking       | False    | False   | Disable blocking mode                                                 |
+| --enable-diff            | False    | False   | Enable diff mode even when using --integration api (forces diff mode without SCM integration) |
 | --scm                    | False    | api     | Source control management type                                        |
 | --timeout                | False    |         | Timeout in seconds for API requests                                   |
 | --include-module-folders | False    | False   | If enabled will include manifest files from folders like node_modules |
@@ -234,6 +235,74 @@ The CLI uses intelligent default branch detection with the following priority:
 
 Both `--default-branch` and `--pending-head` parameters are automatically synchronized to ensure consistent behavior.
 
+## GitLab Token Configuration
+
+The CLI supports GitLab integration with automatic authentication pattern detection for different token types.
+
+### Supported Token Types
+
+GitLab API supports two authentication methods, and the CLI automatically detects which one to use:
+
+1. **Bearer Token Authentication** (`Authorization: Bearer <token>`)
+   - GitLab CI Job Tokens (`$CI_JOB_TOKEN`)
+   - Personal Access Tokens with `glpat-` prefix
+   - OAuth 2.0 tokens (long alphanumeric tokens)
+
+2. **Private Token Authentication** (`PRIVATE-TOKEN: <token>`)
+   - Legacy personal access tokens
+   - Custom tokens that don't match Bearer patterns
+
+### Token Detection Logic
+
+The CLI automatically determines the authentication method using this logic:
+
+```
+if token == $CI_JOB_TOKEN:
+    use Bearer authentication
+elif token starts with "glpat-":
+    use Bearer authentication  
+elif token is long (>40 chars) and alphanumeric:
+    use Bearer authentication
+else:
+    use PRIVATE-TOKEN authentication
+```
+
+### Automatic Fallback
+
+If the initial authentication method fails with a 401 error, the CLI automatically retries with the alternative method:
+
+- **Bearer → PRIVATE-TOKEN**: If Bearer authentication fails, retry with PRIVATE-TOKEN
+- **PRIVATE-TOKEN → Bearer**: If PRIVATE-TOKEN fails, retry with Bearer authentication
+
+This ensures maximum compatibility across different GitLab configurations and token types.
+
+### Environment Variables
+
+| Variable | Description | Example |
+|:---------|:------------|:--------|
+| `GITLAB_TOKEN` | GitLab API token (required for GitLab integration) | `glpat-xxxxxxxxxxxxxxxxxxxx` |
+| `CI_JOB_TOKEN` | GitLab CI job token (automatically used in GitLab CI) | Automatically provided by GitLab CI |
+
+### Usage Examples
+
+**GitLab CI with job token (recommended):**
+```yaml
+variables:
+  GITLAB_TOKEN: $CI_JOB_TOKEN
+```
+
+**GitLab CI with personal access token:**
+```yaml
+variables:
+  GITLAB_TOKEN: $GITLAB_PERSONAL_ACCESS_TOKEN  # Set in GitLab project/group variables
+```
+
+**Local development:**
+```bash
+export GITLAB_TOKEN="glpat-your-personal-access-token"
+socketcli --integration gitlab --repo owner/repo --pr-number 123
+```
+
 ### Scan Behavior
 
 The CLI determines scanning behavior intelligently:
@@ -261,6 +330,7 @@ The CLI determines which files to scan based on the following logic:
 - **Differential Mode**: When manifest files are detected in changes, performs a diff scan with PR/MR comment integration
 - **API Mode**: When no manifest files are in changes, creates a full scan report without PR comments but still scans the entire repository
 - **Force Mode**: With `--ignore-commit-files`, always performs a full scan regardless of changes
+- **Forced Diff Mode**: With `--enable-diff`, forces differential mode even when using `--integration api` (without SCM integration)
 
 ### Examples
 
@@ -268,6 +338,7 @@ The CLI determines which files to scan based on the following logic:
 - **Commit without manifest files**: If your commit only changes non-manifest files (like `.github/workflows/socket.yaml`), the CLI automatically switches to API mode and performs a full repository scan.
 - **Using `--files`**: If you specify `--files '["package.json"]'`, the CLI will check if this file exists and is a manifest file before determining scan type.
 - **Using `--ignore-commit-files`**: This forces a full scan of all manifest files in the target path, regardless of what's in your commit.
+- **Using `--enable-diff`**: Forces diff mode without SCM integration - useful when you want differential scanning but are using `--integration api`. For example: `socketcli --integration api --enable-diff --target-path /path/to/repo`
 - **Auto-detection**: Most CI/CD scenarios now work with just `socketcli --target-path /path/to/repo --scm github --pr-number $PR_NUM`
 
 ## Debugging and Troubleshooting
@@ -393,4 +464,10 @@ Implementation targets:
 
 ### Environment Variables
 
+#### Core Configuration
+- `SOCKET_SECURITY_API_KEY`: Socket Security API token (alternative to --api-token parameter)
 - `SOCKET_SDK_PATH`: Path to local socket-sdk-python repository (default: ../socket-sdk-python)
+
+#### GitLab Integration
+- `GITLAB_TOKEN`: GitLab API token for GitLab integration (supports both Bearer and PRIVATE-TOKEN authentication)
+- `CI_JOB_TOKEN`: GitLab CI job token (automatically provided in GitLab CI environments)

{socketsecurity-2.1.35 → socketsecurity-2.2.2}/README.md

@@ -116,6 +116,7 @@ If you don't want to provide the Socket API Token every time then you can use th
 |:-------------------------|:---------|:--------|:----------------------------------------------------------------------|
 | --ignore-commit-files    | False    | False   | Ignore commit files                                                   |
 | --disable-blocking       | False    | False   | Disable blocking mode                                                 |
+| --enable-diff            | False    | False   | Enable diff mode even when using --integration api (forces diff mode without SCM integration) |
 | --scm                    | False    | api     | Source control management type                                        |
 | --timeout                | False    |         | Timeout in seconds for API requests                                   |
 | --include-module-folders | False    | False   | If enabled will include manifest files from folders like node_modules |
@@ -178,6 +179,74 @@ The CLI uses intelligent default branch detection with the following priority:
 
 Both `--default-branch` and `--pending-head` parameters are automatically synchronized to ensure consistent behavior.
 
+## GitLab Token Configuration
+
+The CLI supports GitLab integration with automatic authentication pattern detection for different token types.
+
+### Supported Token Types
+
+GitLab API supports two authentication methods, and the CLI automatically detects which one to use:
+
+1. **Bearer Token Authentication** (`Authorization: Bearer <token>`)
+   - GitLab CI Job Tokens (`$CI_JOB_TOKEN`)
+   - Personal Access Tokens with `glpat-` prefix
+   - OAuth 2.0 tokens (long alphanumeric tokens)
+
+2. **Private Token Authentication** (`PRIVATE-TOKEN: <token>`)
+   - Legacy personal access tokens
+   - Custom tokens that don't match Bearer patterns
+
+### Token Detection Logic
+
+The CLI automatically determines the authentication method using this logic:
+
+```
+if token == $CI_JOB_TOKEN:
+    use Bearer authentication
+elif token starts with "glpat-":
+    use Bearer authentication  
+elif token is long (>40 chars) and alphanumeric:
+    use Bearer authentication
+else:
+    use PRIVATE-TOKEN authentication
+```
+
+### Automatic Fallback
+
+If the initial authentication method fails with a 401 error, the CLI automatically retries with the alternative method:
+
+- **Bearer → PRIVATE-TOKEN**: If Bearer authentication fails, retry with PRIVATE-TOKEN
+- **PRIVATE-TOKEN → Bearer**: If PRIVATE-TOKEN fails, retry with Bearer authentication
+
+This ensures maximum compatibility across different GitLab configurations and token types.
+
+### Environment Variables
+
+| Variable | Description | Example |
+|:---------|:------------|:--------|
+| `GITLAB_TOKEN` | GitLab API token (required for GitLab integration) | `glpat-xxxxxxxxxxxxxxxxxxxx` |
+| `CI_JOB_TOKEN` | GitLab CI job token (automatically used in GitLab CI) | Automatically provided by GitLab CI |
+
+### Usage Examples
+
+**GitLab CI with job token (recommended):**
+```yaml
+variables:
+  GITLAB_TOKEN: $CI_JOB_TOKEN
+```
+
+**GitLab CI with personal access token:**
+```yaml
+variables:
+  GITLAB_TOKEN: $GITLAB_PERSONAL_ACCESS_TOKEN  # Set in GitLab project/group variables
+```
+
+**Local development:**
+```bash
+export GITLAB_TOKEN="glpat-your-personal-access-token"
+socketcli --integration gitlab --repo owner/repo --pr-number 123
+```
+
 ### Scan Behavior
 
 The CLI determines scanning behavior intelligently:
@@ -205,6 +274,7 @@ The CLI determines which files to scan based on the following logic:
 - **Differential Mode**: When manifest files are detected in changes, performs a diff scan with PR/MR comment integration
 - **API Mode**: When no manifest files are in changes, creates a full scan report without PR comments but still scans the entire repository
 - **Force Mode**: With `--ignore-commit-files`, always performs a full scan regardless of changes
+- **Forced Diff Mode**: With `--enable-diff`, forces differential mode even when using `--integration api` (without SCM integration)
 
 ### Examples
 
@@ -212,6 +282,7 @@ The CLI determines which files to scan based on the following logic:
 - **Commit without manifest files**: If your commit only changes non-manifest files (like `.github/workflows/socket.yaml`), the CLI automatically switches to API mode and performs a full repository scan.
 - **Using `--files`**: If you specify `--files '["package.json"]'`, the CLI will check if this file exists and is a manifest file before determining scan type.
 - **Using `--ignore-commit-files`**: This forces a full scan of all manifest files in the target path, regardless of what's in your commit.
+- **Using `--enable-diff`**: Forces diff mode without SCM integration - useful when you want differential scanning but are using `--integration api`. For example: `socketcli --integration api --enable-diff --target-path /path/to/repo`
 - **Auto-detection**: Most CI/CD scenarios now work with just `socketcli --target-path /path/to/repo --scm github --pr-number $PR_NUM`
 
 ## Debugging and Troubleshooting
@@ -337,4 +408,10 @@ Implementation targets:
 
 ### Environment Variables
 
+#### Core Configuration
+- `SOCKET_SECURITY_API_KEY`: Socket Security API token (alternative to --api-token parameter)
 - `SOCKET_SDK_PATH`: Path to local socket-sdk-python repository (default: ../socket-sdk-python)
+
+#### GitLab Integration
+- `GITLAB_TOKEN`: GitLab API token for GitLab integration (supports both Bearer and PRIVATE-TOKEN authentication)
+- `CI_JOB_TOKEN`: GitLab CI job token (automatically provided in GitLab CI environments)

{socketsecurity-2.1.35 → socketsecurity-2.2.2}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.1.35"
+version = "2.2.2"
 requires-python = ">= 3.10"
 license = {"file" = "LICENSE"}
 dependencies = [
@@ -16,7 +16,7 @@ dependencies = [
     'GitPython',
     'packaging',
     'python-dotenv',
-    'socket-sdk-python>=2.1.5,<3'
+    'socket-sdk-python>=2.1.8,<3'
 ]
 readme = "README.md"
 description = "Socket Security CLI for CI/CD"

{socketsecurity-2.1.35 → socketsecurity-2.2.2}/requirements.txt

@@ -59,7 +59,7 @@ requests==2.32.4
     # via socketsecurity
 smmap==5.0.2
     # via gitdb
-socket-sdk-python==2.1.5
+socket-sdk-python==2.1.8
     # via socketsecurity
 typing-extensions==4.12.2
     # via socket-sdk-python

{socketsecurity-2.1.35 → socketsecurity-2.2.2}/socketsecurity/__init__.py

@@ -1,2 +1,2 @@
 __author__ = 'socket.dev'
-__version__ = '2.1.35'
+__version__ = '2.2.2'

{socketsecurity-2.1.35 → socketsecurity-2.2.2}/socketsecurity/config.py

@@ -48,6 +48,7 @@ class CliConfig:
     integration_type: IntegrationType = "api"
     integration_org_slug: Optional[str] = None
     pending_head: bool = False
+    enable_diff: bool = False
     timeout: Optional[int] = 1200
     exclude_license_details: bool = False
     include_module_folders: bool = False
@@ -421,6 +422,12 @@ def create_argument_parser() -> argparse.ArgumentParser:
         action="store_true",
         help=argparse.SUPPRESS
     )
+    advanced_group.add_argument(
+        "--enable-diff",
+        dest="enable_diff",
+        action="store_true",
+        help="Enable diff mode even when using --integration api (forces diff mode without SCM integration)"
+    )
     advanced_group.add_argument(
         "--scm",
         metavar="<type>",

{socketsecurity-2.1.35 → socketsecurity-2.2.2}/socketsecurity/core/__init__.py

@@ -2,6 +2,7 @@ import logging
 import os
 import sys
 import tarfile
+import tempfile
 import time
 import io
 import json
@@ -30,7 +31,6 @@ from socketsecurity.core.exceptions import APIResourceNotFound
 from .socket_config import SocketConfig
 from .utils import socket_globs
 from .resource_utils import check_file_count_against_ulimit
-from .lazy_file_loader import load_files_for_sending_lazy
 import importlib
 logging_std = importlib.import_module("logging")
 
@@ -338,10 +338,10 @@ class Core:
         ulimit_check = check_file_count_against_ulimit(file_count)
         if ulimit_check["can_check"]:
             if ulimit_check["would_exceed"]:
-                log.warning(f"Found {file_count} manifest files, which may exceed the file descriptor limit (ulimit -n = {ulimit_check['soft_limit']})")
-                log.warning(f"Available file descriptors: {ulimit_check['available_fds']} (after {ulimit_check['buffer_size']} buffer)")
-                log.warning(f"Recommendation: {ulimit_check['recommendation']}")
-                log.warning("This may cause 'Too many open files' errors during processing")
+                log.debug(f"Found {file_count} manifest files, which may exceed the file descriptor limit (ulimit -n = {ulimit_check['soft_limit']})")
+                log.debug(f"Available file descriptors: {ulimit_check['available_fds']} (after {ulimit_check['buffer_size']} buffer)")
+                log.debug(f"Recommendation: {ulimit_check['recommendation']}")
+                log.debug("This may cause 'Too many open files' errors during processing")
             else:
                 log.debug(f"File count ({file_count}) is within file descriptor limit ({ulimit_check['soft_limit']})")
         else:
@@ -434,37 +434,29 @@ class Core:
         return ''.join(f'[{char.lower()}{char.upper()}]' if char.isalpha() else char for char in input_string)
 
     @staticmethod
-    def empty_head_scan_file() -> list[tuple[str, tuple[str, Union[BinaryIO, BytesIO]]]]:
-        # Create an empty file for when no head full scan so that the diff endpoint can always be used
-        empty_file_obj = io.BytesIO(b"")
-        empty_filename = "initial_head_scan"
-        empty_full_scan_file = [(empty_filename, (empty_filename, empty_file_obj))]
-        return empty_full_scan_file
-
-    @staticmethod
-    def load_files_for_sending(files: List[str], workspace: str) -> List[Tuple[str, Tuple[str, BinaryIO]]]:
+    def empty_head_scan_file() -> List[str]:
         """
-        Prepares files for sending to the Socket API using lazy loading.
+        Creates a temporary empty file for baseline scans when no head scan exists.
         
-        This version uses lazy file loading to prevent "Too many open files" errors
-        when processing large numbers of manifest files.
-
-        Args:
-            files: List of file paths from find_files()
-            workspace: Base directory path to make paths relative to
-
         Returns:
-            List of tuples formatted for requests multipart upload:
-            [(field_name, (filename, file_object)), ...]
+            List containing path to a temporary empty file
         """
-        return load_files_for_sending_lazy(files, workspace)
+        # Create a temporary empty file
+        temp_fd, temp_path = tempfile.mkstemp(suffix='.empty', prefix='socket_baseline_')
+        
+        # Close the file descriptor since we just need the path
+        # The file is already created and empty
+        os.close(temp_fd)
+        
+        log.debug(f"Created temporary empty file for baseline scan: {temp_path}")
+        return [temp_path]
 
-    def create_full_scan(self, files: list[tuple[str, tuple[str, BytesIO]]], params: FullScanParams) -> FullScan:
+    def create_full_scan(self, files: List[str], params: FullScanParams) -> FullScan:
         """
         Creates a new full scan via the Socket API.
 
         Args:
-            files: List of files to scan
+            files: List of file paths to scan
             params: Parameters for the full scan
 
         Returns:
@@ -473,7 +465,7 @@ class Core:
         log.info("Creating new full scan")
         create_full_start = time.time()
 
-        res = self.sdk.fullscans.post(files, params, use_types=True)
+        res = self.sdk.fullscans.post(files, params, use_types=True, use_lazy_loading=True, max_open_files=50)
         if not res.success:
             log.error(f"Error creating full scan: {res.message}, status: {res.status}")
             raise Exception(f"Error creating full scan: {res.message}, status: {res.status}")
@@ -525,14 +517,13 @@ class Core:
         if save_manifest_tar_path and files:
             self.save_manifest_tar(files, save_manifest_tar_path, path)
         
-        files_for_sending = self.load_files_for_sending(files, path)
         if not files:
             return diff
 
         try:
             # Create new scan
             new_scan_start = time.time()
-            new_full_scan = self.create_full_scan(files_for_sending, params)
+            new_full_scan = self.create_full_scan(files, params)
             new_scan_end = time.time()
             log.info(f"Total time to create new full scan: {new_scan_end - new_scan_start:.2f}")
         except APIFailure as e:
@@ -779,7 +770,15 @@ class Core:
         log.info(f"Comparing scans - Head scan ID: {head_full_scan_id}, New scan ID: {new_full_scan_id}")
         diff_start = time.time()
         try:
-            diff_report = self.sdk.fullscans.stream_diff(self.config.org_slug, head_full_scan_id, new_full_scan_id, use_types=True).data
+            diff_report = (
+                self.sdk.fullscans.stream_diff
+                           (
+                    self.config.org_slug,
+                    head_full_scan_id,
+                    new_full_scan_id,
+                    use_types=True
+                ).data
+            )
         except APIFailure as e:
             log.error(f"API Error: {e}")
             sys.exit(1)
@@ -877,7 +876,6 @@ class Core:
         if save_manifest_tar_path and files:
             self.save_manifest_tar(files, save_manifest_tar_path, path)
         
-        files_for_sending = self.load_files_for_sending(files, path)
         if not files:
             return Diff(id="NO_DIFF_RAN", diff_url="", report_url="")
 
@@ -887,7 +885,9 @@ class Core:
         except APIResourceNotFound:
             head_full_scan_id = None
 
+        # If no head scan exists, create an empty baseline scan
         if head_full_scan_id is None:
+            log.info("No previous scan found - creating empty baseline scan")
             new_params = copy.deepcopy(params.__dict__)
             new_params.pop('include_license_details')
             tmp_params = FullScanParams(**new_params)
@@ -895,13 +895,34 @@ class Core:
             tmp_params.tmp = True
             tmp_params.set_as_pending_head = False
             tmp_params.make_default_branch = False
-            head_full_scan = self.create_full_scan(Core.empty_head_scan_file(), tmp_params)
-            head_full_scan_id = head_full_scan.id
+            
+            # Create baseline scan with empty file
+            empty_files = Core.empty_head_scan_file()
+            try:
+                head_full_scan = self.create_full_scan(empty_files, tmp_params)
+                head_full_scan_id = head_full_scan.id
+                log.debug(f"Created empty baseline scan: {head_full_scan_id}")
+                
+                # Clean up the temporary empty file
+                for temp_file in empty_files:
+                    try:
+                        os.unlink(temp_file)
+                        log.debug(f"Cleaned up temporary file: {temp_file}")
+                    except OSError as e:
+                        log.warning(f"Failed to clean up temporary file {temp_file}: {e}")
+            except Exception as e:
+                # Clean up temp files even if scan creation fails
+                for temp_file in empty_files:
+                    try:
+                        os.unlink(temp_file)
+                    except OSError:
+                        pass
+                raise e
 
         # Create new scan
         try:
             new_scan_start = time.time()
-            new_full_scan = self.create_full_scan(files_for_sending, params)
+            new_full_scan = self.create_full_scan(files, params)
             new_scan_end = time.time()
             log.info(f"Total time to create new full scan: {new_scan_end - new_scan_start:.2f}")
         except APIFailure as e:
@@ -913,6 +934,7 @@ class Core:
             log.error(f"Stack trace:\n{traceback.format_exc()}")
             raise
 
+        # Handle diff generation - now we always have both scans
         scans_ready = self.check_full_scans_status(head_full_scan_id, new_full_scan.id)
         if scans_ready is False:
             log.error(f"Full scans did not complete within {self.config.timeout} seconds")
@@ -1134,6 +1156,12 @@ class Core:
             alert = Alert(**alert_item)
             props = getattr(self.config.all_issues, alert.type, default_props)
             introduced_by = self.get_source_data(package, packages)
+            
+            # Handle special case for license policy violations
+            title = props.title
+            if alert.type == "licenseSpdxDisj" and not title:
+                title = "License Policy Violation"
+            
             issue_alert = Issue(
                 pkg_type=package.type,
                 pkg_name=package.name,
@@ -1144,7 +1172,7 @@ class Core:
                 type=alert.type,
                 severity=alert.severity,
                 description=props.description,
-                title=props.title,
+                title=title,
                 suggestion=props.suggestion,
                 next_step_title=props.nextStepTitle,
                 introduced_by=introduced_by,
@@ -1156,11 +1184,10 @@ class Core:
                 action = self.config.security_policy[alert.type]['action']
                 setattr(issue_alert, action, True)
 
-            if issue_alert.type != 'licenseSpdxDisj':
-                if issue_alert.key not in alerts_collection:
-                    alerts_collection[issue_alert.key] = [issue_alert]
-                else:
-                    alerts_collection[issue_alert.key].append(issue_alert)
+            if issue_alert.key not in alerts_collection:
+                alerts_collection[issue_alert.key] = [issue_alert]
+            else:
+                alerts_collection[issue_alert.key].append(issue_alert)
 
         return alerts_collection
 
@@ -1232,7 +1259,8 @@ class Core:
             if alert_key not in removed_package_alerts:
                 new_alerts = added_package_alerts[alert_key]
                 for alert in new_alerts:
-                    alert_str = f"{alert.purl},{alert.manifests},{alert.type}"
+                    # Consolidate by package and alert type, not by manifest details
+                    alert_str = f"{alert.purl},{alert.type}"
 
                     if alert.error or alert.warn:
                         if alert_str not in consolidated_alerts:
@@ -1243,7 +1271,8 @@ class Core:
                 removed_alerts = removed_package_alerts[alert_key]
 
                 for alert in new_alerts:
-                    alert_str = f"{alert.purl},{alert.manifests},{alert.type}"
+                    # Consolidate by package and alert type, not by manifest details
+                    alert_str = f"{alert.purl},{alert.type}"
 
                     # Only add if:
                     # 1. Alert isn't in removed packages (or we're not ignoring readded alerts)