socketsecurity 2.2.0__tar.gz → 2.2.4__tar.gz

{socketsecurity-2.2.0 → socketsecurity-2.2.4}/Dockerfile

@@ -18,5 +18,5 @@ RUN for i in $(seq 1 10); do \
         sleep 30; \
     done && \
     if [ ! -z "$SDK_VERSION" ]; then \
-        pip install --index-url ${PIP_INDEX_URL} --extra-index-url ${PIP_EXTRA_INDEX_URL} socket-sdk-python==${SDK_VERSION}; \
+        pip install --index-url ${PIP_INDEX_URL} --extra-index-url ${PIP_EXTRA_INDEX_URL} socketdev==${SDK_VERSION}; \
     fi

socketsecurity-2.2.4/Makefile

@@ -0,0 +1,62 @@
+.PHONY: setup sync clean test lint update-lock local-dev first-time-setup dev-setup sync-all first-time-local-setup
+
+# Environment variable for local SDK path (optional)
+SOCKET_SDK_PATH ?= ../socketdev
+
+# Environment variable to control local development mode
+USE_LOCAL_SDK ?= false
+
+# === High-level workflow targets ===
+
+# First-time repo setup after cloning (using PyPI packages)
+first-time-setup: clean setup
+
+# First-time setup for local development (using local SDK)
+first-time-local-setup: 
+	$(MAKE) clean
+	$(MAKE) USE_LOCAL_SDK=true dev-setup
+
+# Update lock file after changing pyproject.toml
+update-lock:
+	uv lock
+
+# Setup for local development
+dev-setup: clean local-dev setup
+
+# Sync all dependencies after pulling changes
+sync-all: sync
+
+# === Implementation targets ===
+
+# Installs dependencies needed for local development
+# Currently: socketdev from test PyPI or local path
+local-dev:
+ifeq ($(USE_LOCAL_SDK),true)
+	uv add --editable $(SOCKET_SDK_PATH)
+endif
+
+# Creates virtual environment and installs dependencies from uv.lock
+setup: update-lock
+	uv sync --all-extras
+ifeq ($(USE_LOCAL_SDK),true)
+	uv add --editable $(SOCKET_SDK_PATH)
+endif
+
+# Installs exact versions from uv.lock into your virtual environment
+sync:
+	uv sync --all-extras
+ifeq ($(USE_LOCAL_SDK),true)
+	uv add --editable $(SOCKET_SDK_PATH)
+endif
+
+# Removes virtual environment and cache files
+clean:
+	rm -rf .venv
+	find . -type d -name "__pycache__" -exec rm -rf {} +
+
+test:
+	uv run pytest
+
+lint:
+	uv run ruff check .
+	uv run ruff format --check .

{socketsecurity-2.2.0 → socketsecurity-2.2.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: socketsecurity
-Version: 2.2.0
+Version: 2.2.4
 Summary: Socket Security CLI for CI/CD
 Project-URL: Homepage, https://socket.dev
 Author-email: Douglas Coburn <douglas@socket.dev>
@@ -39,13 +39,13 @@ Requires-Dist: packaging
 Requires-Dist: prettytable
 Requires-Dist: python-dotenv
 Requires-Dist: requests
-Requires-Dist: socket-sdk-python<3,>=2.1.8
+Requires-Dist: socketdev<4.0.0,>=3.0.0
 Provides-Extra: dev
 Requires-Dist: hatch; extra == 'dev'
-Requires-Dist: pip-tools>=7.4.0; extra == 'dev'
 Requires-Dist: pre-commit; extra == 'dev'
 Requires-Dist: ruff>=0.3.0; extra == 'dev'
 Requires-Dist: twine; extra == 'dev'
+Requires-Dist: uv>=0.1.0; extra == 'dev'
 Provides-Extra: test
 Requires-Dist: pytest-asyncio>=0.23.0; extra == 'test'
 Requires-Dist: pytest-cov>=4.1.0; extra == 'test'
@@ -235,6 +235,74 @@ The CLI uses intelligent default branch detection with the following priority:
 
 Both `--default-branch` and `--pending-head` parameters are automatically synchronized to ensure consistent behavior.
 
+## GitLab Token Configuration
+
+The CLI supports GitLab integration with automatic authentication pattern detection for different token types.
+
+### Supported Token Types
+
+GitLab API supports two authentication methods, and the CLI automatically detects which one to use:
+
+1. **Bearer Token Authentication** (`Authorization: Bearer <token>`)
+   - GitLab CI Job Tokens (`$CI_JOB_TOKEN`)
+   - Personal Access Tokens with `glpat-` prefix
+   - OAuth 2.0 tokens (long alphanumeric tokens)
+
+2. **Private Token Authentication** (`PRIVATE-TOKEN: <token>`)
+   - Legacy personal access tokens
+   - Custom tokens that don't match Bearer patterns
+
+### Token Detection Logic
+
+The CLI automatically determines the authentication method using this logic:
+
+```
+if token == $CI_JOB_TOKEN:
+    use Bearer authentication
+elif token starts with "glpat-":
+    use Bearer authentication  
+elif token is long (>40 chars) and alphanumeric:
+    use Bearer authentication
+else:
+    use PRIVATE-TOKEN authentication
+```
+
+### Automatic Fallback
+
+If the initial authentication method fails with a 401 error, the CLI automatically retries with the alternative method:
+
+- **Bearer → PRIVATE-TOKEN**: If Bearer authentication fails, retry with PRIVATE-TOKEN
+- **PRIVATE-TOKEN → Bearer**: If PRIVATE-TOKEN fails, retry with Bearer authentication
+
+This ensures maximum compatibility across different GitLab configurations and token types.
+
+### Environment Variables
+
+| Variable | Description | Example |
+|:---------|:------------|:--------|
+| `GITLAB_TOKEN` | GitLab API token (required for GitLab integration) | `glpat-xxxxxxxxxxxxxxxxxxxx` |
+| `CI_JOB_TOKEN` | GitLab CI job token (automatically used in GitLab CI) | Automatically provided by GitLab CI |
+
+### Usage Examples
+
+**GitLab CI with job token (recommended):**
+```yaml
+variables:
+  GITLAB_TOKEN: $CI_JOB_TOKEN
+```
+
+**GitLab CI with personal access token:**
+```yaml
+variables:
+  GITLAB_TOKEN: $GITLAB_PERSONAL_ACCESS_TOKEN  # Set in GitLab project/group variables
+```
+
+**Local development:**
+```bash
+export GITLAB_TOKEN="glpat-your-personal-access-token"
+socketcli --integration gitlab --repo owner/repo --pr-number 123
+```
+
 ### Scan Behavior
 
 The CLI determines scanning behavior intelligently:
@@ -359,9 +427,9 @@ make first-time-setup
 2. Local Development Setup (for SDK development):
 ```bash
 pyenv local 3.11  # Ensure correct Python version
-SOCKET_SDK_PATH=~/path/to/socket-sdk-python make first-time-local-setup
+SOCKET_SDK_PATH=~/path/to/socketdev make first-time-local-setup
 ```
-The default SDK path is `../socket-sdk-python` if not specified.
+The default SDK path is `../socketdev` if not specified.
 
 #### Ongoing Development Tasks
 
@@ -380,20 +448,24 @@ make sync-all
 High-level workflows:
 - `make first-time-setup`: Complete setup using PyPI packages
 - `make first-time-local-setup`: Complete setup for local SDK development
-- `make update-deps`: Update requirements.txt files and sync dependencies
+- `make update-lock`: Update uv.lock file after changing pyproject.toml
 - `make sync-all`: Sync dependencies after pulling changes
 - `make dev-setup`: Setup for local development (included in first-time-local-setup)
 
 Implementation targets:
-- `make init-tools`: Creates virtual environment and installs pip-tools
 - `make local-dev`: Installs dependencies needed for local development
-- `make compile-deps`: Generates requirements.txt files with locked versions
-- `make setup`: Creates virtual environment and installs dependencies
-- `make sync-deps`: Installs exact versions from requirements.txt
+- `make setup`: Creates virtual environment and installs dependencies from uv.lock
+- `make sync`: Installs exact versions from uv.lock
 - `make clean`: Removes virtual environment and cache files
-- `make test`: Runs pytest suite
-- `make lint`: Runs ruff for code formatting and linting
+- `make test`: Runs pytest suite using uv run
+- `make lint`: Runs ruff for code formatting and linting using uv run
 
 ### Environment Variables
 
-- `SOCKET_SDK_PATH`: Path to local socket-sdk-python repository (default: ../socket-sdk-python)
+#### Core Configuration
+- `SOCKET_SECURITY_API_KEY`: Socket Security API token (alternative to --api-token parameter)
+- `SOCKET_SDK_PATH`: Path to local socketdev repository (default: ../socketdev)
+
+#### GitLab Integration
+- `GITLAB_TOKEN`: GitLab API token for GitLab integration (supports both Bearer and PRIVATE-TOKEN authentication)
+- `CI_JOB_TOKEN`: GitLab CI job token (automatically provided in GitLab CI environments)

{socketsecurity-2.2.0 → socketsecurity-2.2.4}/README.md

@@ -179,6 +179,74 @@ The CLI uses intelligent default branch detection with the following priority:
 
 Both `--default-branch` and `--pending-head` parameters are automatically synchronized to ensure consistent behavior.
 
+## GitLab Token Configuration
+
+The CLI supports GitLab integration with automatic authentication pattern detection for different token types.
+
+### Supported Token Types
+
+GitLab API supports two authentication methods, and the CLI automatically detects which one to use:
+
+1. **Bearer Token Authentication** (`Authorization: Bearer <token>`)
+   - GitLab CI Job Tokens (`$CI_JOB_TOKEN`)
+   - Personal Access Tokens with `glpat-` prefix
+   - OAuth 2.0 tokens (long alphanumeric tokens)
+
+2. **Private Token Authentication** (`PRIVATE-TOKEN: <token>`)
+   - Legacy personal access tokens
+   - Custom tokens that don't match Bearer patterns
+
+### Token Detection Logic
+
+The CLI automatically determines the authentication method using this logic:
+
+```
+if token == $CI_JOB_TOKEN:
+    use Bearer authentication
+elif token starts with "glpat-":
+    use Bearer authentication  
+elif token is long (>40 chars) and alphanumeric:
+    use Bearer authentication
+else:
+    use PRIVATE-TOKEN authentication
+```
+
+### Automatic Fallback
+
+If the initial authentication method fails with a 401 error, the CLI automatically retries with the alternative method:
+
+- **Bearer → PRIVATE-TOKEN**: If Bearer authentication fails, retry with PRIVATE-TOKEN
+- **PRIVATE-TOKEN → Bearer**: If PRIVATE-TOKEN fails, retry with Bearer authentication
+
+This ensures maximum compatibility across different GitLab configurations and token types.
+
+### Environment Variables
+
+| Variable | Description | Example |
+|:---------|:------------|:--------|
+| `GITLAB_TOKEN` | GitLab API token (required for GitLab integration) | `glpat-xxxxxxxxxxxxxxxxxxxx` |
+| `CI_JOB_TOKEN` | GitLab CI job token (automatically used in GitLab CI) | Automatically provided by GitLab CI |
+
+### Usage Examples
+
+**GitLab CI with job token (recommended):**
+```yaml
+variables:
+  GITLAB_TOKEN: $CI_JOB_TOKEN
+```
+
+**GitLab CI with personal access token:**
+```yaml
+variables:
+  GITLAB_TOKEN: $GITLAB_PERSONAL_ACCESS_TOKEN  # Set in GitLab project/group variables
+```
+
+**Local development:**
+```bash
+export GITLAB_TOKEN="glpat-your-personal-access-token"
+socketcli --integration gitlab --repo owner/repo --pr-number 123
+```
+
 ### Scan Behavior
 
 The CLI determines scanning behavior intelligently:
@@ -303,9 +371,9 @@ make first-time-setup
 2. Local Development Setup (for SDK development):
 ```bash
 pyenv local 3.11  # Ensure correct Python version
-SOCKET_SDK_PATH=~/path/to/socket-sdk-python make first-time-local-setup
+SOCKET_SDK_PATH=~/path/to/socketdev make first-time-local-setup
 ```
-The default SDK path is `../socket-sdk-python` if not specified.
+The default SDK path is `../socketdev` if not specified.
 
 #### Ongoing Development Tasks
 
@@ -324,20 +392,24 @@ make sync-all
 High-level workflows:
 - `make first-time-setup`: Complete setup using PyPI packages
 - `make first-time-local-setup`: Complete setup for local SDK development
-- `make update-deps`: Update requirements.txt files and sync dependencies
+- `make update-lock`: Update uv.lock file after changing pyproject.toml
 - `make sync-all`: Sync dependencies after pulling changes
 - `make dev-setup`: Setup for local development (included in first-time-local-setup)
 
 Implementation targets:
-- `make init-tools`: Creates virtual environment and installs pip-tools
 - `make local-dev`: Installs dependencies needed for local development
-- `make compile-deps`: Generates requirements.txt files with locked versions
-- `make setup`: Creates virtual environment and installs dependencies
-- `make sync-deps`: Installs exact versions from requirements.txt
+- `make setup`: Creates virtual environment and installs dependencies from uv.lock
+- `make sync`: Installs exact versions from uv.lock
 - `make clean`: Removes virtual environment and cache files
-- `make test`: Runs pytest suite
-- `make lint`: Runs ruff for code formatting and linting
+- `make test`: Runs pytest suite using uv run
+- `make lint`: Runs ruff for code formatting and linting using uv run
 
 ### Environment Variables
 
-- `SOCKET_SDK_PATH`: Path to local socket-sdk-python repository (default: ../socket-sdk-python)
+#### Core Configuration
+- `SOCKET_SECURITY_API_KEY`: Socket Security API token (alternative to --api-token parameter)
+- `SOCKET_SDK_PATH`: Path to local socketdev repository (default: ../socketdev)
+
+#### GitLab Integration
+- `GITLAB_TOKEN`: GitLab API token for GitLab integration (supports both Bearer and PRIVATE-TOKEN authentication)
+- `CI_JOB_TOKEN`: GitLab CI job token (automatically provided in GitLab CI environments)

{socketsecurity-2.2.0 → socketsecurity-2.2.4}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.2.0"
+version = "2.2.4"
 requires-python = ">= 3.10"
 license = {"file" = "LICENSE"}
 dependencies = [
@@ -16,7 +16,7 @@ dependencies = [
     'GitPython',
     'packaging',
     'python-dotenv',
-    'socket-sdk-python>=2.1.8,<3'
+    'socketdev>=3.0.0,<4.0.0'
 ]
 readme = "README.md"
 description = "Socket Security CLI for CI/CD"
@@ -45,7 +45,7 @@ test = [
 dev = [
     "ruff>=0.3.0",
     "twine", # for building
-    "pip-tools>=7.4.0",  # for pip-compile
+    "uv>=0.1.0",  # for dependency management
     "pre-commit",
     "hatch"
 ]

{socketsecurity-2.2.0 → socketsecurity-2.2.4}/scripts/deploy-test-docker.sh

@@ -29,7 +29,7 @@ fi
 
 if [ -z "$SDK_VERSION" ]; then
     echo "No SDK version specified, checking TestPyPI for latest version..."
-    SDK_VERSION=$(get_latest_version "socket-sdk-python")
+    SDK_VERSION=$(get_latest_version "socketdev")
     echo "Latest SDK version on TestPyPI is: $SDK_VERSION"
 fi
 

{socketsecurity-2.2.0 → socketsecurity-2.2.4}/socketsecurity/__init__.py

@@ -1,2 +1,2 @@
 __author__ = 'socket.dev'
-__version__ = '2.2.0'
+__version__ = '2.2.4'

socketsecurity-2.2.4/socketsecurity/core/scm/client.py

@@ -0,0 +1,84 @@
+from abc import abstractmethod
+from typing import Dict
+
+from ..cli_client import CliClient
+
+
+class ScmClient(CliClient):
+    def __init__(self, token: str, api_url: str):
+        self.token = token
+        self.api_url = api_url
+
+    @abstractmethod
+    def get_headers(self) -> Dict:
+        """Each SCM implements its own auth headers"""
+        pass
+
+    def request(self, path: str, **kwargs):
+        """Override base request to use SCM-specific headers and base_url"""
+        headers = kwargs.pop('headers', None) or self.get_headers()
+        return super().request(
+            path=path,
+            headers=headers,
+            base_url=self.api_url,
+            **kwargs
+        )
+
+class GithubClient(ScmClient):
+    def get_headers(self) -> Dict:
+        return {
+            'Authorization': f"Bearer {self.token}",
+            'User-Agent': 'SocketPythonScript/0.0.1',
+            "accept": "application/json"
+        }
+
+class GitlabClient(ScmClient):
+    def get_headers(self) -> Dict:
+        """
+        Determine the appropriate authentication headers for GitLab API.
+        Uses the same logic as GitlabConfig._get_auth_headers()
+        """
+        return self._get_gitlab_auth_headers(self.token)
+    
+    @staticmethod
+    def _get_gitlab_auth_headers(token: str) -> dict:
+        """
+        Determine the appropriate authentication headers for GitLab API.
+        
+        GitLab supports two authentication patterns:
+        1. Bearer token (OAuth 2.0 tokens, personal access tokens with api scope)
+        2. Private token (personal access tokens)
+        """
+        import os
+        
+        base_headers = {
+            'User-Agent': 'SocketPythonScript/0.0.1',
+            "accept": "application/json"
+        }
+        
+        # Check if this is a GitLab CI job token
+        if token == os.getenv('CI_JOB_TOKEN'):
+            return {
+                **base_headers,
+                'Authorization': f"Bearer {token}"
+            }
+        
+        # Check for personal access token pattern
+        if token.startswith('glpat-'):
+            return {
+                **base_headers,
+                'Authorization': f"Bearer {token}"
+            }
+        
+        # Check for OAuth token pattern (typically longer and alphanumeric)
+        if len(token) > 40 and token.isalnum():
+            return {
+                **base_headers,
+                'Authorization': f"Bearer {token}"
+            }
+        
+        # Default to PRIVATE-TOKEN for other token types
+        return {
+            **base_headers,
+            'PRIVATE-TOKEN': f"{token}"
+        }

{socketsecurity-2.2.0 → socketsecurity-2.2.4}/socketsecurity/core/scm/gitlab.py

@@ -42,6 +42,9 @@ class GitlabConfig:
         mr_source_branch = os.getenv('CI_MERGE_REQUEST_SOURCE_BRANCH_NAME')
         default_branch = os.getenv('CI_DEFAULT_BRANCH', '')
 
+        # Determine which authentication pattern to use
+        headers = cls._get_auth_headers(token)
+
         return cls(
             commit_sha=os.getenv('CI_COMMIT_SHA', ''),
             api_url=os.getenv('CI_API_V4_URL', ''),
@@ -57,18 +60,119 @@ class GitlabConfig:
             token=token,
             repository=project_name,
             is_default_branch=(mr_source_branch == default_branch if mr_source_branch else False),
-            headers={
-                'Authorization': f"Bearer {token}",
-                'User-Agent': 'SocketPythonScript/0.0.1',
-                "accept": "application/json"
-            }
+            headers=headers
         )
 
+    @staticmethod
+    def _get_auth_headers(token: str) -> dict:
+        """
+        Determine the appropriate authentication headers for GitLab API.
+        
+        GitLab supports two authentication patterns:
+        1. Bearer token (OAuth 2.0 tokens, personal access tokens with api scope)
+        2. Private token (personal access tokens)
+        
+        Logic for token type determination:
+        - CI_JOB_TOKEN: Always use Bearer (GitLab CI job token)
+        - Tokens starting with 'glpat-': Personal access tokens, try Bearer first
+        - OAuth tokens: Use Bearer
+        - Other tokens: Use PRIVATE-TOKEN as fallback
+        """
+        base_headers = {
+            'User-Agent': 'SocketPythonScript/0.0.1',
+            "accept": "application/json"
+        }
+        
+        # Check if this is a GitLab CI job token
+        if token == os.getenv('CI_JOB_TOKEN'):
+            log.debug("Using Bearer authentication for GitLab CI job token")
+            return {
+                **base_headers,
+                'Authorization': f"Bearer {token}"
+            }
+        
+        # Check for personal access token pattern
+        if token.startswith('glpat-'):
+            log.debug("Using Bearer authentication for GitLab personal access token")
+            return {
+                **base_headers,
+                'Authorization': f"Bearer {token}"
+            }
+        
+        # Check for OAuth token pattern (typically longer and alphanumeric)
+        if len(token) > 40 and token.isalnum():
+            log.debug("Using Bearer authentication for potential OAuth token")
+            return {
+                **base_headers,
+                'Authorization': f"Bearer {token}"
+            }
+        
+        # Default to PRIVATE-TOKEN for other token types
+        log.debug("Using PRIVATE-TOKEN authentication for GitLab token")
+        return {
+            **base_headers,
+            'PRIVATE-TOKEN': f"{token}"
+        }
+
 class Gitlab:
     def __init__(self, client: CliClient, config: Optional[GitlabConfig] = None):
         self.config = config or GitlabConfig.from_env()
         self.client = client
 
+    def _request_with_fallback(self, **kwargs):
+        """
+        Make a request with automatic fallback between Bearer and PRIVATE-TOKEN authentication.
+        This provides robustness when the initial token type detection is incorrect.
+        """
+        try:
+            # Try the initial request with the configured headers
+            return self.client.request(**kwargs)
+        except Exception as e:
+            # Check if this is an authentication error (401)
+            if hasattr(e, 'response') and e.response and e.response.status_code == 401:
+                log.debug(f"Authentication failed with initial headers, trying fallback method")
+                
+                # Determine the fallback headers
+                original_headers = kwargs.get('headers', self.config.headers)
+                fallback_headers = self._get_fallback_headers(original_headers)
+                
+                if fallback_headers and fallback_headers != original_headers:
+                    log.debug("Retrying request with fallback authentication method")
+                    kwargs['headers'] = fallback_headers
+                    return self.client.request(**kwargs)
+            
+            # Re-raise the original exception if it's not an auth error or fallback failed
+            raise
+
+    def _get_fallback_headers(self, original_headers: dict) -> dict:
+        """
+        Generate fallback authentication headers.
+        If using Bearer, fallback to PRIVATE-TOKEN and vice versa.
+        """
+        base_headers = {
+            'User-Agent': 'SocketPythonScript/0.0.1',
+            "accept": "application/json"
+        }
+        
+        # If currently using Bearer, try PRIVATE-TOKEN
+        if 'Authorization' in original_headers and 'Bearer' in original_headers['Authorization']:
+            log.debug("Falling back from Bearer to PRIVATE-TOKEN authentication")
+            return {
+                **base_headers,
+                'PRIVATE-TOKEN': f"{self.config.token}"
+            }
+        
+        # If currently using PRIVATE-TOKEN, try Bearer
+        elif 'PRIVATE-TOKEN' in original_headers:
+            log.debug("Falling back from PRIVATE-TOKEN to Bearer authentication")
+            return {
+                **base_headers,
+                'Authorization': f"Bearer {self.config.token}"
+            }
+        
+        # No fallback available
+        return None
+
     def check_event_type(self) -> str:
         pipeline_source = self.config.pipeline_source.lower()
         if pipeline_source in ["web", 'merge_request_event', "push", "api"]:
@@ -84,7 +188,7 @@ class Gitlab:
     def post_comment(self, body: str) -> None:
         path = f"projects/{self.config.mr_project_id}/merge_requests/{self.config.mr_iid}/notes"
         payload = {"body": body}
-        self.client.request(
+        self._request_with_fallback(
             path=path,
             payload=payload,
             method="POST",
@@ -95,7 +199,7 @@ class Gitlab:
     def update_comment(self, body: str, comment_id: str) -> None:
         path = f"projects/{self.config.mr_project_id}/merge_requests/{self.config.mr_iid}/notes/{comment_id}"
         payload = {"body": body}
-        self.client.request(
+        self._request_with_fallback(
             path=path,
             payload=payload,
             method="PUT",
@@ -106,7 +210,7 @@ class Gitlab:
     def get_comments_for_pr(self) -> dict:
         log.debug(f"Getting Gitlab comments for Repo {self.config.repository} for PR {self.config.mr_iid}")
         path = f"projects/{self.config.mr_project_id}/merge_requests/{self.config.mr_iid}/notes"
-        response = self.client.request(
+        response = self._request_with_fallback(
             path=path,
             headers=self.config.headers,
             base_url=self.config.api_url