socketsecurity 2.2.71__tar.gz → 2.2.74__tar.gz

socketsecurity-2.2.74/.github/CODEOWNERS

@@ -0,0 +1 @@
+* @SocketDev/customer-engineering

socketsecurity-2.2.74/.github/workflows/e2e-test.yml

@@ -0,0 +1,109 @@
+name: E2E Test
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  e2e-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
+        with:
+          python-version: '3.12'
+
+      - name: Install CLI from local repo
+        run: |
+          python -m pip install --upgrade pip
+          pip install .
+
+      - name: Run Socket CLI scan
+        env:
+          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_CLI_API_TOKEN }}
+        run: |
+          set -o pipefail
+          socketcli \
+            --target-path tests/e2e/fixtures/simple-npm \
+            --disable-blocking \
+            --enable-debug \
+            2>&1 | tee /tmp/scan-output.log
+
+      - name: Verify scan produced a report
+        run: |
+          if grep -q "Full scan report URL: https://socket.dev/" /tmp/scan-output.log; then
+            echo "PASS: Full scan report URL found"
+            grep "Full scan report URL:" /tmp/scan-output.log
+          elif grep -q "Diff Url: https://socket.dev/" /tmp/scan-output.log; then
+            echo "PASS: Diff URL found"
+            grep "Diff Url:" /tmp/scan-output.log
+          else
+            echo "FAIL: No report URL found in scan output"
+            cat /tmp/scan-output.log
+            exit 1
+          fi
+
+  e2e-reachability:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
+        with:
+          python-version: '3.12'
+
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
+        with:
+          node-version: '20'
+
+      - name: Install CLI from local repo
+        run: |
+          python -m pip install --upgrade pip
+          pip install .
+
+      - name: Install uv
+        run: pip install uv
+
+      - name: Run Socket CLI with reachability
+        env:
+          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_CLI_API_TOKEN }}
+        run: |
+          set -o pipefail
+          socketcli \
+            --target-path tests/e2e/fixtures/simple-npm \
+            --reach \
+            --disable-blocking \
+            --enable-debug \
+            2>&1 | tee /tmp/reach-output.log
+
+      - name: Verify reachability analysis completed
+        run: |
+          if grep -q "Reachability analysis completed successfully" /tmp/reach-output.log; then
+            echo "PASS: Reachability analysis completed"
+            grep "Reachability analysis completed successfully" /tmp/reach-output.log
+            grep "Results written to:" /tmp/reach-output.log || true
+          else
+            echo "FAIL: Reachability analysis did not complete successfully"
+            cat /tmp/reach-output.log
+            exit 1
+          fi
+
+      - name: Verify scan produced a report
+        run: |
+          if grep -q "Full scan report URL: https://socket.dev/" /tmp/reach-output.log; then
+            echo "PASS: Full scan report URL found"
+            grep "Full scan report URL:" /tmp/reach-output.log
+          elif grep -q "Diff Url: https://socket.dev/" /tmp/reach-output.log; then
+            echo "PASS: Diff URL found"
+            grep "Diff Url:" /tmp/reach-output.log
+          else
+            echo "FAIL: No report URL found in scan output"
+            cat /tmp/reach-output.log
+            exit 1
+          fi

{socketsecurity-2.2.71 → socketsecurity-2.2.74}/.github/workflows/pr-preview.yml

@@ -16,12 +16,13 @@ jobs:
           fetch-depth: 0
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
         with:
-          python-version: '3.x'
+          python-version: '3.13'
 
       # Install all dependencies from pyproject.toml
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
+          pip install "virtualenv<20.36"
           pip install hatchling==1.27.0 hatch==1.14.0
 
       - name: Inject full dynamic version

{socketsecurity-2.2.71 → socketsecurity-2.2.74}/.github/workflows/release.yml

@@ -15,12 +15,13 @@ jobs:
           fetch-depth: 0
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
         with:
-          python-version: '3.x'
+          python-version: '3.13'
 
       # Install all dependencies from pyproject.toml
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
+          pip install "virtualenv<20.36"
           pip install hatchling==1.27.0 hatch==1.14.0
           
       - name: Get Version

{socketsecurity-2.2.71 → socketsecurity-2.2.74}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: socketsecurity
-Version: 2.2.71
+Version: 2.2.74
 Summary: Socket Security CLI for CI/CD
 Project-URL: Homepage, https://socket.dev
 Author-email: Douglas Coburn <douglas@socket.dev>
@@ -41,7 +41,7 @@ Requires-Dist: packaging
 Requires-Dist: prettytable
 Requires-Dist: python-dotenv
 Requires-Dist: requests
-Requires-Dist: socketdev<4.0.0,>=3.0.29
+Requires-Dist: socketdev<4.0.0,>=3.0.31
 Provides-Extra: dev
 Requires-Dist: hatch; extra == 'dev'
 Requires-Dist: pre-commit; extra == 'dev'
@@ -101,6 +101,8 @@ These examples are production-ready and include best practices for each platform
 
 ## Monorepo Workspace Support
 
+> **Note:** If you're looking to associate a scan with a named Socket workspace (e.g. because your repo is identified as `org/repo`), see the [`--workspace` flag](#repository) instead. The `--workspace-name` flag described in this section is an unrelated monorepo feature.
+
 The Socket CLI supports scanning specific workspaces within monorepo structures while preserving git context from the repository root. This is useful for organizations that maintain multiple applications or services in a single repository.
 
 ### Key Features
@@ -172,7 +174,7 @@ This will simultaneously generate:
 ## Usage
 
 ```` shell
-socketcli [-h] [--api-token API_TOKEN] [--repo REPO] [--repo-is-public] [--branch BRANCH] [--integration {api,github,gitlab,azure,bitbucket}]
+socketcli [-h] [--api-token API_TOKEN] [--repo REPO] [--workspace WORKSPACE] [--repo-is-public] [--branch BRANCH] [--integration {api,github,gitlab,azure,bitbucket}]
           [--owner OWNER] [--pr-number PR_NUMBER] [--commit-message COMMIT_MESSAGE] [--commit-sha COMMIT_SHA] [--committers [COMMITTERS ...]]
           [--target-path TARGET_PATH] [--sbom-file SBOM_FILE] [--license-file-name LICENSE_FILE_NAME] [--save-submitted-files-list SAVE_SUBMITTED_FILES_LIST]
           [--save-manifest-tar SAVE_MANIFEST_TAR] [--files FILES] [--sub-path SUB_PATH] [--workspace-name WORKSPACE_NAME]
@@ -196,14 +198,21 @@ If you don't want to provide the Socket API Token every time then you can use th
 | --api-token | False    |         | Socket Security API token (can also be set via SOCKET_SECURITY_API_TOKEN env var) |
 
 #### Repository
-| Parameter        | Required | Default | Description                                                             |
-|:-----------------|:---------|:--------|:------------------------------------------------------------------------|
-| --repo           | False    | *auto*  | Repository name in owner/repo format (auto-detected from git remote)   |
-| --repo-is-public | False    | False   | If set, flags a new repository creation as public. Defaults to false.   |
-| --integration    | False    | api     | Integration type (api, github, gitlab, azure, bitbucket)                |
-| --owner          | False    |         | Name of the integration owner, defaults to the socket organization slug |
-| --branch         | False    | *auto*  | Branch name (auto-detected from git)                                   |
-| --committers     | False    | *auto*  | Committer(s) to filter by (auto-detected from git commit)              |
+| Parameter        | Required | Default | Description                                                                                                       |
+|:-----------------|:---------|:--------|:------------------------------------------------------------------------------------------------------------------|
+| --repo           | False    | *auto*  | Repository name in owner/repo format (auto-detected from git remote)                                             |
+| --workspace      | False    |         | The Socket workspace to associate the scan with (e.g. `my-org` in `my-org/my-repo`). See note below.           |
+| --repo-is-public | False    | False   | If set, flags a new repository creation as public. Defaults to false.                                            |
+| --integration    | False    | api     | Integration type (api, github, gitlab, azure, bitbucket)                                                         |
+| --owner          | False    |         | Name of the integration owner, defaults to the socket organization slug                                          |
+| --branch         | False    | *auto*  | Branch name (auto-detected from git)                                                                             |
+| --committers     | False    | *auto*  | Committer(s) to filter by (auto-detected from git commit)                                                        |
+
+> **`--workspace` vs `--workspace-name`** — these are two distinct flags for different purposes:
+>
+> - **`--workspace <string>`** maps to the Socket API's `workspace` query parameter on `CreateOrgFullScan`. Use it when your repository belongs to a named Socket workspace (e.g. an org with multiple workspace groups). Example: `--repo my-repo --workspace my-org`. Without this flag, scans are created without workspace context and may not appear under the correct workspace in the Socket dashboard.
+>
+> - **`--workspace-name <string>`** is a monorepo feature. It appends a suffix to the repository slug to create a unique name in Socket (e.g. `my-repo-frontend`). It must always be paired with `--sub-path` and has nothing to do with the API `workspace` field. See [Monorepo Workspace Support](#monorepo-workspace-support) below.
 
 #### Pull Request and Commit
 | Parameter        | Required | Default | Description                                    |

{socketsecurity-2.2.71 → socketsecurity-2.2.74}/README.md

@@ -43,6 +43,8 @@ These examples are production-ready and include best practices for each platform
 
 ## Monorepo Workspace Support
 
+> **Note:** If you're looking to associate a scan with a named Socket workspace (e.g. because your repo is identified as `org/repo`), see the [`--workspace` flag](#repository) instead. The `--workspace-name` flag described in this section is an unrelated monorepo feature.
+
 The Socket CLI supports scanning specific workspaces within monorepo structures while preserving git context from the repository root. This is useful for organizations that maintain multiple applications or services in a single repository.
 
 ### Key Features
@@ -114,7 +116,7 @@ This will simultaneously generate:
 ## Usage
 
 ```` shell
-socketcli [-h] [--api-token API_TOKEN] [--repo REPO] [--repo-is-public] [--branch BRANCH] [--integration {api,github,gitlab,azure,bitbucket}]
+socketcli [-h] [--api-token API_TOKEN] [--repo REPO] [--workspace WORKSPACE] [--repo-is-public] [--branch BRANCH] [--integration {api,github,gitlab,azure,bitbucket}]
           [--owner OWNER] [--pr-number PR_NUMBER] [--commit-message COMMIT_MESSAGE] [--commit-sha COMMIT_SHA] [--committers [COMMITTERS ...]]
           [--target-path TARGET_PATH] [--sbom-file SBOM_FILE] [--license-file-name LICENSE_FILE_NAME] [--save-submitted-files-list SAVE_SUBMITTED_FILES_LIST]
           [--save-manifest-tar SAVE_MANIFEST_TAR] [--files FILES] [--sub-path SUB_PATH] [--workspace-name WORKSPACE_NAME]
@@ -138,14 +140,21 @@ If you don't want to provide the Socket API Token every time then you can use th
 | --api-token | False    |         | Socket Security API token (can also be set via SOCKET_SECURITY_API_TOKEN env var) |
 
 #### Repository
-| Parameter        | Required | Default | Description                                                             |
-|:-----------------|:---------|:--------|:------------------------------------------------------------------------|
-| --repo           | False    | *auto*  | Repository name in owner/repo format (auto-detected from git remote)   |
-| --repo-is-public | False    | False   | If set, flags a new repository creation as public. Defaults to false.   |
-| --integration    | False    | api     | Integration type (api, github, gitlab, azure, bitbucket)                |
-| --owner          | False    |         | Name of the integration owner, defaults to the socket organization slug |
-| --branch         | False    | *auto*  | Branch name (auto-detected from git)                                   |
-| --committers     | False    | *auto*  | Committer(s) to filter by (auto-detected from git commit)              |
+| Parameter        | Required | Default | Description                                                                                                       |
+|:-----------------|:---------|:--------|:------------------------------------------------------------------------------------------------------------------|
+| --repo           | False    | *auto*  | Repository name in owner/repo format (auto-detected from git remote)                                             |
+| --workspace      | False    |         | The Socket workspace to associate the scan with (e.g. `my-org` in `my-org/my-repo`). See note below.           |
+| --repo-is-public | False    | False   | If set, flags a new repository creation as public. Defaults to false.                                            |
+| --integration    | False    | api     | Integration type (api, github, gitlab, azure, bitbucket)                                                         |
+| --owner          | False    |         | Name of the integration owner, defaults to the socket organization slug                                          |
+| --branch         | False    | *auto*  | Branch name (auto-detected from git)                                                                             |
+| --committers     | False    | *auto*  | Committer(s) to filter by (auto-detected from git commit)                                                        |
+
+> **`--workspace` vs `--workspace-name`** — these are two distinct flags for different purposes:
+>
+> - **`--workspace <string>`** maps to the Socket API's `workspace` query parameter on `CreateOrgFullScan`. Use it when your repository belongs to a named Socket workspace (e.g. an org with multiple workspace groups). Example: `--repo my-repo --workspace my-org`. Without this flag, scans are created without workspace context and may not appear under the correct workspace in the Socket dashboard.
+>
+> - **`--workspace-name <string>`** is a monorepo feature. It appends a suffix to the repository slug to create a unique name in Socket (e.g. `my-repo-frontend`). It must always be paired with `--sub-path` and has nothing to do with the API `workspace` field. See [Monorepo Workspace Support](#monorepo-workspace-support) below.
 
 #### Pull Request and Commit
 | Parameter        | Required | Default | Description                                    |

socketsecurity-2.2.74/instructions/gitlab-commit-status/uat.md

@@ -0,0 +1,54 @@
+# UAT: GitLab Commit Status Integration
+
+## Feature
+`--enable-commit-status` posts a commit status (`success`/`failed`) to GitLab after scan completes. Repo admins can then require `socket-security` as a status check on protected branches.
+
+## Prerequisites
+- GitLab project with CI/CD configured
+- `GITLAB_TOKEN` with `api` scope (or `CI_JOB_TOKEN` with sufficient permissions)
+- Merge request pipeline (so `CI_MERGE_REQUEST_PROJECT_ID` is set)
+
+## Test Cases
+
+### 1. Pass scenario (no blocking alerts)
+1. Create MR with no dependency changes (or only safe ones)
+2. Run: `socketcli --scm gitlab --enable-commit-status`
+3. **Expected**: Commit status `socket-security` = `success`, description = "No blocking issues"
+4. Verify in GitLab: **Repository > Commits > (sha) > Pipelines** or **MR > Pipeline > External** tab
+
+### 2. Fail scenario (blocking alerts)
+1. Create MR adding a package with known blocking alerts
+2. Run: `socketcli --scm gitlab --enable-commit-status`
+3. **Expected**: Commit status = `failed`, description = "N blocking alert(s) found"
+
+### 3. Flag omitted (default off)
+1. Run: `socketcli --scm gitlab` (no `--enable-commit-status`)
+2. **Expected**: No commit status posted
+
+### 4. Non-MR pipeline (push event without MR)
+1. Trigger pipeline on a push (no MR context)
+2. Run: `socketcli --scm gitlab --enable-commit-status`
+3. **Expected**: Commit status skipped (no `mr_project_id`), no error
+
+### 5. API failure is non-fatal
+1. Use an invalid/revoked `GITLAB_TOKEN`
+2. Run: `socketcli --scm gitlab --enable-commit-status`
+3. **Expected**: Error logged ("Failed to set commit status: ..."), scan still completes with correct exit code
+
+### 6. Non-GitLab SCM
+1. Run: `socketcli --scm github --enable-commit-status`
+2. **Expected**: Flag is accepted but commit status is not posted (GitHub not yet supported)
+
+## Blocking Merges on Failure
+
+### Option A: Pipelines must succeed (all GitLab tiers)
+Since `socketcli` exits with code 1 when blocking alerts are found, the pipeline fails automatically.
+1. Go to **Settings > General > Merge requests**
+2. Under **Merge checks**, enable **"Pipelines must succeed"**
+3. Save — GitLab will now prevent merging when the pipeline fails
+
+### Option B: External status checks (GitLab Ultimate only)
+Use the `socket-security` commit status as a required external check.
+1. Go to **Settings > General > Merge requests > Status checks**
+2. Add an external status check with name `socket-security`
+3. MRs will require Socket's `success` status to merge

{socketsecurity-2.2.71 → socketsecurity-2.2.74}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.2.71"
+version = "2.2.74"
 requires-python = ">= 3.10"
 license = {"file" = "LICENSE"}
 dependencies = [
@@ -16,7 +16,7 @@ dependencies = [
     'GitPython',
     'packaging',
     'python-dotenv',
-    "socketdev>=3.0.29,<4.0.0",
+    "socketdev>=3.0.31,<4.0.0",
     "bs4>=0.0.2",
     "markdown>=3.10",
 ]

socketsecurity-2.2.74/socket.yml

@@ -0,0 +1,4 @@
+version: 2
+
+projectIgnorePaths:
+  - "tests/e2e/fixtures/"

{socketsecurity-2.2.71 → socketsecurity-2.2.74}/socketsecurity/__init__.py

@@ -1,3 +1,3 @@
 __author__ = 'socket.dev'
-__version__ = '2.2.71'
+__version__ = '2.2.74'
 USER_AGENT = f'SocketPythonCLI/{__version__}'

{socketsecurity-2.2.71 → socketsecurity-2.2.74}/socketsecurity/config.py

@@ -66,6 +66,7 @@ class CliConfig:
     save_manifest_tar: Optional[str] = None
     sub_paths: List[str] = field(default_factory=list)
     workspace_name: Optional[str] = None
+    workspace: Optional[str] = None
     # Reachability Flags
     reach: bool = False
     reach_version: Optional[str] = None
@@ -86,6 +87,7 @@ class CliConfig:
     only_facts_file: bool = False
     reach_use_only_pregenerated_sboms: bool = False
     max_purl_batch_size: int = 5000
+    enable_commit_status: bool = False
     
     @classmethod
     def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig':
@@ -144,6 +146,7 @@ class CliConfig:
             'save_manifest_tar': args.save_manifest_tar,
             'sub_paths': args.sub_paths or [],
             'workspace_name': args.workspace_name,
+            'workspace': args.workspace,
             'slack_webhook': args.slack_webhook,
             'reach': args.reach,
             'reach_version': args.reach_version,
@@ -164,6 +167,7 @@ class CliConfig:
             'only_facts_file': args.only_facts_file,
             'reach_use_only_pregenerated_sboms': args.reach_use_only_pregenerated_sboms,
             'max_purl_batch_size': args.max_purl_batch_size,
+            'enable_commit_status': args.enable_commit_status,
             'version': __version__
         }
         try:
@@ -254,6 +258,12 @@ def create_argument_parser() -> argparse.ArgumentParser:
         help="Repository name in owner/repo format",
         required=False
     )
+    repo_group.add_argument(
+        "--workspace",
+        metavar="<string>",
+        help="The workspace in the Socket Organization that the repository is in to associate with the full scan.",
+        required=False
+    )
     repo_group.add_argument(
         "--repo-is-public",
         dest="repo_is_public",
@@ -512,6 +522,18 @@ def create_argument_parser() -> argparse.ArgumentParser:
         action="store_true",
         help=argparse.SUPPRESS
     )
+    output_group.add_argument(
+        "--enable-commit-status",
+        dest="enable_commit_status",
+        action="store_true",
+        help="Report scan result as a commit status on GitLab (requires GitLab SCM)"
+    )
+    output_group.add_argument(
+        "--enable_commit_status",
+        dest="enable_commit_status",
+        action="store_true",
+        help=argparse.SUPPRESS
+    )
 
     # Plugin Configuration
     plugin_group = parser.add_argument_group('Plugin Configuration')

{socketsecurity-2.2.71 → socketsecurity-2.2.74}/socketsecurity/core/scm/gitlab.py

@@ -47,8 +47,15 @@ class GitlabConfig:
         # Determine which authentication pattern to use
         headers = cls._get_auth_headers(token)
 
+        # Prefer source branch SHA (real commit) over CI_COMMIT_SHA which
+        # may be a synthetic merge-result commit in merged-results pipelines.
+        commit_sha = (
+            os.getenv('CI_MERGE_REQUEST_SOURCE_BRANCH_SHA') or
+            os.getenv('CI_COMMIT_SHA', '')
+        )
+
         return cls(
-            commit_sha=os.getenv('CI_COMMIT_SHA', ''),
+            commit_sha=commit_sha,
             api_url=os.getenv('CI_API_V4_URL', ''),
             project_dir=os.getenv('CI_PROJECT_DIR', ''),
             mr_source_branch=mr_source_branch,
@@ -260,6 +267,65 @@ class Gitlab:
                 log.debug("No Previous version of Security Issue comment, posting")
                 self.post_comment(security_comment)
 
+    def enable_merge_pipeline_check(self) -> None:
+        """Enable 'only_allow_merge_if_pipeline_succeeds' on the MR target project."""
+        if not self.config.mr_project_id:
+            return
+        url = f"{self.config.api_url}/projects/{self.config.mr_project_id}"
+        try:
+            resp = requests.put(
+                url,
+                json={"only_allow_merge_if_pipeline_succeeds": True},
+                headers=self.config.headers,
+            )
+            if resp.status_code == 401:
+                fallback = self._get_fallback_headers(self.config.headers)
+                if fallback:
+                    resp = requests.put(
+                        url,
+                        json={"only_allow_merge_if_pipeline_succeeds": True},
+                        headers=fallback,
+                    )
+            if resp.status_code >= 400:
+                log.error(f"GitLab enable merge check API {resp.status_code}: {resp.text}")
+            else:
+                log.info("Enabled 'pipelines must succeed' merge check on project")
+        except Exception as e:
+            log.error(f"Failed to enable merge pipeline check: {e}")
+
+    def set_commit_status(self, state: str, description: str, target_url: str = '') -> None:
+        """Post a commit status to GitLab. state should be 'success' or 'failed'.
+
+        Uses requests.post with json= directly because CliClient.request sends
+        data= (form-encoded) which GitLab's commit status endpoint rejects.
+        """
+        if not self.config.mr_project_id:
+            log.debug("No mr_project_id, skipping commit status")
+            return
+        url = f"{self.config.api_url}/projects/{self.config.mr_project_id}/statuses/{self.config.commit_sha}"
+        payload = {
+            "state": state,
+            "context": "socket-security-commit-status",
+            "description": description,
+        }
+        if self.config.mr_source_branch:
+            payload["ref"] = self.config.mr_source_branch
+        if target_url:
+            payload["target_url"] = target_url
+        try:
+            log.debug(f"Posting commit status to {url}")
+            resp = requests.post(url, json=payload, headers=self.config.headers)
+            if resp.status_code == 401:
+                fallback = self._get_fallback_headers(self.config.headers)
+                if fallback:
+                    resp = requests.post(url, json=payload, headers=fallback)
+            if resp.status_code >= 400:
+                log.error(f"GitLab commit status API {resp.status_code}: {resp.text}")
+            resp.raise_for_status()
+            log.info(f"Commit status set to '{state}' on {self.config.commit_sha[:8]}")
+        except Exception as e:
+            log.error(f"Failed to set commit status: {e}")
+
     def remove_comment_alerts(self, comments: dict):
         security_alert = comments.get("security")
         if security_alert is not None:

{socketsecurity-2.2.71 → socketsecurity-2.2.74}/socketsecurity/socketcli.py

@@ -464,7 +464,8 @@ def main_code():
         make_default_branch=is_default_branch,
         set_as_pending_head=is_default_branch,
         tmp=False,
-        scan_type='socket_tier1' if config.reach else 'socket'
+        scan_type='socket_tier1' if config.reach else 'socket',
+        workspace=config.workspace or None,
     )
 
     params.include_license_details = not config.exclude_license_details
@@ -641,6 +642,21 @@ def main_code():
             log.debug("Temporarily enabling disable_blocking due to no supported manifest files")
             config.disable_blocking = True
 
+    # Post commit status to GitLab if enabled
+    if config.enable_commit_status and scm is not None:
+        from socketsecurity.core.scm.gitlab import Gitlab
+        if isinstance(scm, Gitlab) and scm.config.mr_project_id:
+            scm.enable_merge_pipeline_check()
+            passed = output_handler.report_pass(diff)
+            state = "success" if passed else "failed"
+            blocking_count = sum(1 for a in diff.new_alerts if a.error)
+            if passed:
+                description = "No blocking issues"
+            else:
+                description = f"{blocking_count} blocking alert(s) found"
+            target_url = diff.report_url or diff.diff_url or ""
+            scm.set_commit_status(state, description, target_url)
+
     sys.exit(output_handler.return_exit_code(diff))
 
 

socketsecurity-2.2.74/tests/e2e/fixtures/simple-npm/index.js

@@ -0,0 +1,13 @@
+const express = require('express')
+const lodash = require('lodash')
+
+const app = express()
+
+app.get('/', (req, res) => {
+  const data = lodash.pick(req.query, ['name', 'age'])
+  res.json(data)
+})
+
+app.listen(3000, () => {
+  console.log(`Test fixture ${__filename} running on port 3000`)
+})

socketsecurity-2.2.74/tests/e2e/fixtures/simple-npm/package.json

@@ -0,0 +1,15 @@
+{
+  "name": "reach-test-fixture",
+  "version": "1.0.0",
+  "description": "Test fixture for reachability analysis",
+  "main": "index.js",
+  "dependencies": {
+    "lodash": "4.17.23",
+    "express": "4.22.0",
+    "axios": "1.13.5"
+  },
+  "devDependencies": {
+    "typescript": "5.0.4",
+    "jest": "29.5.0"
+  }
+}

{socketsecurity-2.2.71 → socketsecurity-2.2.74}/tests/unit/test_cli_config.py

@@ -60,4 +60,25 @@ class TestCliConfig:
             "--disable-blocking"
         ])
         assert config.strict_blocking is True
-        assert config.disable_blocking is True
+        assert config.disable_blocking is True
+
+    def test_workspace_flag(self):
+        """Test that --workspace is parsed and stored correctly."""
+        config = CliConfig.from_args(["--api-token", "test", "--workspace", "my-workspace"])
+        assert config.workspace == "my-workspace"
+
+    def test_workspace_default_is_none(self):
+        """Test that workspace defaults to None when not supplied."""
+        config = CliConfig.from_args(["--api-token", "test"])
+        assert config.workspace is None
+
+    def test_workspace_is_independent_of_workspace_name(self):
+        """--workspace and --workspace-name are distinct flags with distinct purposes."""
+        config = CliConfig.from_args([
+            "--api-token", "test",
+            "--workspace", "my-workspace",
+            "--sub-path", ".",
+            "--workspace-name", "monorepo-suffix",
+        ])
+        assert config.workspace == "my-workspace"
+        assert config.workspace_name == "monorepo-suffix"