socketsecurity 2.2.75__tar.gz → 2.2.77__tar.gz

{socketsecurity-2.2.75 → socketsecurity-2.2.77}/.github/workflows/e2e-test.yml

@@ -47,6 +47,54 @@ jobs:
             exit 1
           fi
 
+  e2e-sarif:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
+        with:
+          python-version: '3.12'
+
+      - name: Install CLI from local repo
+        run: |
+          python -m pip install --upgrade pip
+          pip install .
+
+      - name: Verify --sarif-reachable-only without --reach exits non-zero
+        run: |
+          if socketcli --sarif-reachable-only --api-token dummy 2>&1; then
+            echo "FAIL: Expected non-zero exit"
+            exit 1
+          else
+            echo "PASS: Exited non-zero as expected"
+          fi
+
+      - name: Run Socket CLI scan with --sarif-file
+        env:
+          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_CLI_API_TOKEN }}
+        run: |
+          set -o pipefail
+          socketcli \
+            --target-path tests/e2e/fixtures/simple-npm \
+            --sarif-file /tmp/results.sarif \
+            --disable-blocking \
+            2>&1 | tee /tmp/sarif-output.log
+
+      - name: Verify SARIF file is valid
+        run: |
+          python3 -c "
+          import json, sys
+          with open('/tmp/results.sarif') as f:
+              data = json.load(f)
+          assert data['version'] == '2.1.0', f'Invalid version: {data[\"version\"]}'
+          assert '\$schema' in data, 'Missing \$schema'
+          count = len(data['runs'][0]['results'])
+          print(f'PASS: Valid SARIF 2.1.0 with {count} result(s)')
+          "
+
   e2e-reachability:
     runs-on: ubuntu-latest
     steps:
@@ -107,3 +155,41 @@ jobs:
             cat /tmp/reach-output.log
             exit 1
           fi
+
+      - name: Run scan with --sarif-file (all results)
+        env:
+          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_CLI_API_TOKEN }}
+        run: |
+          socketcli \
+            --target-path tests/e2e/fixtures/simple-npm \
+            --reach \
+            --sarif-file /tmp/sarif-all.sarif \
+            --disable-blocking \
+            2>/dev/null || true
+
+      - name: Run scan with --sarif-file --sarif-reachable-only (filtered results)
+        env:
+          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_CLI_API_TOKEN }}
+        run: |
+          socketcli \
+            --target-path tests/e2e/fixtures/simple-npm \
+            --reach \
+            --sarif-file /tmp/sarif-reachable.sarif \
+            --sarif-reachable-only \
+            --disable-blocking \
+            2>/dev/null || true
+
+      - name: Verify reachable-only results are a subset of all results
+        run: |
+          python3 -c "
+          import json
+          with open('/tmp/sarif-all.sarif') as f:
+              all_data = json.load(f)
+          with open('/tmp/sarif-reachable.sarif') as f:
+              reach_data = json.load(f)
+          all_count = len(all_data['runs'][0]['results'])
+          reach_count = len(reach_data['runs'][0]['results'])
+          print(f'All results: {all_count}, Reachable-only results: {reach_count}')
+          assert reach_count <= all_count, f'FAIL: reachable ({reach_count}) > all ({all_count})'
+          print('PASS: Reachable-only results is a subset of all results')
+          "

socketsecurity-2.2.77/.github/workflows/python-tests.yml

@@ -0,0 +1,52 @@
+name: Unit Tests
+
+env:
+  PYTHON_VERSION: "3.12"
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "socketsecurity/**/*.py"
+      - "tests/unit/**/*.py"
+      - "tests/core/**/*.py"
+      - "pyproject.toml"
+      - "uv.lock"
+      - ".github/workflows/python-tests.yml"
+  pull_request:
+    paths:
+      - "socketsecurity/**/*.py"
+      - "tests/unit/**/*.py"
+      - "tests/core/**/*.py"
+      - "pyproject.toml"
+      - "uv.lock"
+      - ".github/workflows/python-tests.yml"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: python-tests-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  python-tests:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+        with:
+          fetch-depth: 1
+          persist-credentials: false
+      - name: 🐍 setup python
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+      - name: 🛠️ install deps
+        run: |
+          python -m pip install --upgrade pip
+          pip install uv
+          uv sync --extra test
+      - name: 🧪 run tests
+        run: uv run pytest -q tests/unit/ tests/core/

{socketsecurity-2.2.75 → socketsecurity-2.2.77}/.gitignore

@@ -13,6 +13,7 @@ run_container.sh
 bin
 scripts/*.py
 *.json
+*.sarif
 !tests/**/*.json
 markdown_overview_temp.md
 markdown_security_temp.md

{socketsecurity-2.2.75 → socketsecurity-2.2.77}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: socketsecurity
-Version: 2.2.75
+Version: 2.2.77
 Summary: Socket Security CLI for CI/CD
 Project-URL: Homepage, https://socket.dev
 Author-email: Douglas Coburn <douglas@socket.dev>
@@ -152,18 +152,27 @@ This will:
 - Save to `gl-dependency-scanning-report.json`
 - Include all actionable security alerts (error/warn level)
 
+**Save SARIF report to file (e.g. for GitHub Code Scanning, SonarQube, or VS Code):**
+```bash
+socketcli --sarif-file results.sarif \
+          --repo owner/repo \
+          --target-path .
+```
+
 **Multiple output formats:**
 ```bash
 socketcli --enable-json \
-          --enable-sarif \
+          --sarif-file results.sarif \
           --enable-gitlab-security \
           --repo owner/repo
 ```
 
 This will simultaneously generate:
 - JSON output to console
-- SARIF format to console
-- GitLab Security Dashboard report to file
+- SARIF report to `results.sarif` (and stdout)
+- GitLab Security Dashboard report to `gl-dependency-scanning-report.json`
+
+> **Note:** `--enable-sarif` prints SARIF to stdout only. Use `--sarif-file <path>` to save to a file (this also implies `--enable-sarif`). Add `--sarif-reachable-only` (requires `--reach`) to filter results down to only reachable findings — useful for uploading to GitHub Code Scanning without noisy alerts on unreachable vulns. These flags are independent from `--enable-gitlab-security`, which produces a separate GitLab-specific Dependency Scanning report.
 
 ### Requirements
 
@@ -179,7 +188,7 @@ socketcli [-h] [--api-token API_TOKEN] [--repo REPO] [--workspace WORKSPACE] [--
           [--target-path TARGET_PATH] [--sbom-file SBOM_FILE] [--license-file-name LICENSE_FILE_NAME] [--save-submitted-files-list SAVE_SUBMITTED_FILES_LIST]
           [--save-manifest-tar SAVE_MANIFEST_TAR] [--files FILES] [--sub-path SUB_PATH] [--workspace-name WORKSPACE_NAME]
           [--excluded-ecosystems EXCLUDED_ECOSYSTEMS] [--default-branch] [--pending-head] [--generate-license] [--enable-debug]
-          [--enable-json] [--enable-sarif] [--enable-gitlab-security] [--gitlab-security-file <path>]
+          [--enable-json] [--enable-sarif] [--sarif-file <path>] [--sarif-reachable-only] [--enable-gitlab-security] [--gitlab-security-file <path>]
           [--disable-overview] [--exclude-license-details] [--allow-unverified] [--disable-security-issue]
           [--ignore-commit-files] [--disable-blocking] [--enable-diff] [--scm SCM] [--timeout TIMEOUT] [--include-module-folders]
           [--reach] [--reach-version REACH_VERSION] [--reach-analysis-timeout REACH_ANALYSIS_TIMEOUT]
@@ -247,7 +256,9 @@ If you don't want to provide the Socket API Token every time then you can use th
 | --generate-license        | False    | False   | Generate license information                                                      |
 | --enable-debug            | False    | False   | Enable debug logging                                                              |
 | --enable-json             | False    | False   | Output in JSON format                                                             |
-| --enable-sarif            | False    | False   | Enable SARIF output of results instead of table or JSON format                    |
+| --enable-sarif            | False    | False   | Enable SARIF output of results instead of table or JSON format (prints to stdout) |
+| --sarif-file              | False    |         | Output file path for SARIF report (implies --enable-sarif). Use this to save SARIF output to a file for upload to GitHub Code Scanning, SonarQube, VS Code, or other SARIF-compatible tools |
+| --sarif-reachable-only    | False    | False   | Filter SARIF output to only include reachable findings (requires --reach)         |
 | --enable-gitlab-security  | False    | False   | Enable GitLab Security Dashboard output format (Dependency Scanning report)       |
 | --gitlab-security-file    | False    | gl-dependency-scanning-report.json | Output file path for GitLab Security report                |
 | --disable-overview        | False    | False   | Disable overview output                                                           |
@@ -783,13 +794,13 @@ socketcli --enable-gitlab-security --gitlab-security-file custom-path.json
 GitLab security reports can be generated alongside other output formats:
 
 ```bash
-socketcli --enable-json --enable-gitlab-security --enable-sarif
+socketcli --enable-json --enable-gitlab-security --sarif-file results.sarif
 ```
 
 This command will:
 - Output JSON format to console
 - Save GitLab Security Dashboard report to `gl-dependency-scanning-report.json`
-- Save SARIF report (if configured)
+- Save SARIF report to `results.sarif`
 
 ### Security Dashboard Features
 

{socketsecurity-2.2.75 → socketsecurity-2.2.77}/README.md

@@ -94,18 +94,27 @@ This will:
 - Save to `gl-dependency-scanning-report.json`
 - Include all actionable security alerts (error/warn level)
 
+**Save SARIF report to file (e.g. for GitHub Code Scanning, SonarQube, or VS Code):**
+```bash
+socketcli --sarif-file results.sarif \
+          --repo owner/repo \
+          --target-path .
+```
+
 **Multiple output formats:**
 ```bash
 socketcli --enable-json \
-          --enable-sarif \
+          --sarif-file results.sarif \
           --enable-gitlab-security \
           --repo owner/repo
 ```
 
 This will simultaneously generate:
 - JSON output to console
-- SARIF format to console
-- GitLab Security Dashboard report to file
+- SARIF report to `results.sarif` (and stdout)
+- GitLab Security Dashboard report to `gl-dependency-scanning-report.json`
+
+> **Note:** `--enable-sarif` prints SARIF to stdout only. Use `--sarif-file <path>` to save to a file (this also implies `--enable-sarif`). Add `--sarif-reachable-only` (requires `--reach`) to filter results down to only reachable findings — useful for uploading to GitHub Code Scanning without noisy alerts on unreachable vulns. These flags are independent from `--enable-gitlab-security`, which produces a separate GitLab-specific Dependency Scanning report.
 
 ### Requirements
 
@@ -121,7 +130,7 @@ socketcli [-h] [--api-token API_TOKEN] [--repo REPO] [--workspace WORKSPACE] [--
           [--target-path TARGET_PATH] [--sbom-file SBOM_FILE] [--license-file-name LICENSE_FILE_NAME] [--save-submitted-files-list SAVE_SUBMITTED_FILES_LIST]
           [--save-manifest-tar SAVE_MANIFEST_TAR] [--files FILES] [--sub-path SUB_PATH] [--workspace-name WORKSPACE_NAME]
           [--excluded-ecosystems EXCLUDED_ECOSYSTEMS] [--default-branch] [--pending-head] [--generate-license] [--enable-debug]
-          [--enable-json] [--enable-sarif] [--enable-gitlab-security] [--gitlab-security-file <path>]
+          [--enable-json] [--enable-sarif] [--sarif-file <path>] [--sarif-reachable-only] [--enable-gitlab-security] [--gitlab-security-file <path>]
           [--disable-overview] [--exclude-license-details] [--allow-unverified] [--disable-security-issue]
           [--ignore-commit-files] [--disable-blocking] [--enable-diff] [--scm SCM] [--timeout TIMEOUT] [--include-module-folders]
           [--reach] [--reach-version REACH_VERSION] [--reach-analysis-timeout REACH_ANALYSIS_TIMEOUT]
@@ -189,7 +198,9 @@ If you don't want to provide the Socket API Token every time then you can use th
 | --generate-license        | False    | False   | Generate license information                                                      |
 | --enable-debug            | False    | False   | Enable debug logging                                                              |
 | --enable-json             | False    | False   | Output in JSON format                                                             |
-| --enable-sarif            | False    | False   | Enable SARIF output of results instead of table or JSON format                    |
+| --enable-sarif            | False    | False   | Enable SARIF output of results instead of table or JSON format (prints to stdout) |
+| --sarif-file              | False    |         | Output file path for SARIF report (implies --enable-sarif). Use this to save SARIF output to a file for upload to GitHub Code Scanning, SonarQube, VS Code, or other SARIF-compatible tools |
+| --sarif-reachable-only    | False    | False   | Filter SARIF output to only include reachable findings (requires --reach)         |
 | --enable-gitlab-security  | False    | False   | Enable GitLab Security Dashboard output format (Dependency Scanning report)       |
 | --gitlab-security-file    | False    | gl-dependency-scanning-report.json | Output file path for GitLab Security report                |
 | --disable-overview        | False    | False   | Disable overview output                                                           |
@@ -725,13 +736,13 @@ socketcli --enable-gitlab-security --gitlab-security-file custom-path.json
 GitLab security reports can be generated alongside other output formats:
 
 ```bash
-socketcli --enable-json --enable-gitlab-security --enable-sarif
+socketcli --enable-json --enable-gitlab-security --sarif-file results.sarif
 ```
 
 This command will:
 - Output JSON format to console
 - Save GitLab Security Dashboard report to `gl-dependency-scanning-report.json`
-- Save SARIF report (if configured)
+- Save SARIF report to `results.sarif`
 
 ### Security Dashboard Features
 

{socketsecurity-2.2.75 → socketsecurity-2.2.77}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.2.75"
+version = "2.2.77"
 requires-python = ">= 3.10"
 license = {"file" = "LICENSE"}
 dependencies = [

{socketsecurity-2.2.75 → socketsecurity-2.2.77}/socketsecurity/__init__.py

@@ -1,3 +1,3 @@
 __author__ = 'socket.dev'
-__version__ = '2.2.75'
+__version__ = '2.2.77'
 USER_AGENT = f'SocketPythonCLI/{__version__}'

{socketsecurity-2.2.75 → socketsecurity-2.2.77}/socketsecurity/config.py

@@ -40,6 +40,8 @@ class CliConfig:
     allow_unverified: bool = False
     enable_json: bool = False
     enable_sarif: bool = False
+    sarif_file: Optional[str] = None
+    sarif_reachable_only: bool = False
     enable_gitlab_security: bool = False
     gitlab_security_file: Optional[str] = None
     disable_overview: bool = False
@@ -103,6 +105,10 @@ class CliConfig:
             args.api_token
         )
 
+        # --sarif-file implies --enable-sarif
+        if args.sarif_file:
+            args.enable_sarif = True
+
         # Strip quotes from commit message if present
         commit_message = args.commit_message
         if commit_message and commit_message.startswith('"') and commit_message.endswith('"'):
@@ -126,6 +132,8 @@ class CliConfig:
             'allow_unverified': args.allow_unverified,
             'enable_json': args.enable_json,
             'enable_sarif': args.enable_sarif,
+            'sarif_file': args.sarif_file,
+            'sarif_reachable_only': args.sarif_reachable_only,
             'enable_gitlab_security': args.enable_gitlab_security,
             'gitlab_security_file': args.gitlab_security_file,
             'disable_overview': args.disable_overview,
@@ -204,6 +212,11 @@ class CliConfig:
             logging.error("--workspace-name requires --sub-path to be specified")
             exit(1)
 
+        # Validate that sarif_reachable_only requires reach
+        if args.sarif_reachable_only and not args.reach:
+            logging.error("--sarif-reachable-only requires --reach to be specified")
+            exit(1)
+
         # Validate that only_facts_file requires reach
         if args.only_facts_file and not args.reach:
             logging.error("--only-facts-file requires --reach to be specified")
@@ -471,6 +484,19 @@ def create_argument_parser() -> argparse.ArgumentParser:
         action="store_true",
         help="Enable SARIF output of results instead of table or JSON format"
     )
+    output_group.add_argument(
+        "--sarif-file",
+        dest="sarif_file",
+        metavar="<path>",
+        default=None,
+        help="Output file path for SARIF report (implies --enable-sarif)"
+    )
+    output_group.add_argument(
+        "--sarif-reachable-only",
+        dest="sarif_reachable_only",
+        action="store_true",
+        help="Filter SARIF output to only include reachable findings (requires --reach)"
+    )
     output_group.add_argument(
         "--enable-gitlab-security",
         dest="enable_gitlab_security",

{socketsecurity-2.2.75 → socketsecurity-2.2.77}/socketsecurity/core/__init__.py

@@ -88,19 +88,16 @@ class Core:
             return org_id, organizations[org_id]['slug']
         return None, None
 
-    def get_sbom_data(self, full_scan_id: str) -> List[SocketArtifact]:
-        """Returns the list of SBOM artifacts for a full scan."""
+    def get_sbom_data(self, full_scan_id: str) -> Dict[str, SocketArtifact]:
+        """Returns SBOM artifacts for a full scan keyed by artifact ID."""
         response = self.sdk.fullscans.stream(self.config.org_slug, full_scan_id, use_types=True)
-        artifacts: List[SocketArtifact] = []
         if not response.success:
             log.debug(f"Failed to get SBOM data for full-scan {full_scan_id}")
             log.debug(response.message)
             return {}
         if not hasattr(response, "artifacts") or not response.artifacts:
-            return artifacts
-        for artifact_id in response.artifacts:
-            artifacts.append(response.artifacts[artifact_id])
-        return artifacts
+            return {}
+        return response.artifacts
 
     def get_sbom_data_list(self, artifacts_dict: Dict[str, SocketArtifact]) -> list[SocketArtifact]:
         """Converts artifacts dictionary to a list."""
@@ -414,15 +411,15 @@ class Core:
                 # Expand brace patterns for each manifest pattern
                 expanded_patterns = Core.expand_brace_pattern(pattern_str)
                 for exp_pat in expanded_patterns:
-                    # If pattern doesn't contain '/', prepend '**/' to match files in any subdirectory
-                    # This ensures patterns like '*requirements.txt' match '.test/requirements.txt'
-                    if '/' not in exp_pat:
-                        exp_pat = f"**/{exp_pat}"
-                    
                     for file in norm_files:
-                        # Use PurePath.match for glob-like matching
+                        # Match the pattern as-is first (handles root-level files
+                        # like "package.json" matching pattern "package.json")
                         if PurePath(file).match(exp_pat):
                             return True
+                        # Also try with **/ prefix to match files in subdirectories
+                        # (e.g. "src/requirements.txt" matching "*requirements.txt")
+                        if '/' not in exp_pat and PurePath(file).match(f"**/{exp_pat}"):
+                            return True
         return False
 
     def check_file_count_limit(self, file_count: int) -> dict:

{socketsecurity-2.2.75 → socketsecurity-2.2.77}/socketsecurity/core/classes.py

@@ -1,8 +1,15 @@
 import json
 from dataclasses import dataclass, field
-from typing import Dict, List, TypedDict, Any, Optional
+from typing import Dict, List, Optional, TypedDict
 
-from socketdev.fullscans import FullScanMetadata, SocketArtifact, SocketArtifactLink, DiffType, SocketManifestReference, SocketScore, SocketAlert
+from socketdev.fullscans import (
+    FullScanMetadata,
+    SocketAlert,
+    SocketArtifact,
+    SocketArtifactLink,
+    SocketManifestReference,
+    SocketScore,
+)
 
 __all__ = [
     "Report",
@@ -109,8 +116,8 @@ class Package():
     type: str
     name: str
     version: str
-    release: str
-    diffType: str
+    release: Optional[str] = None
+    diffType: Optional[str] = None
     id: str
     author: List[str] = field(default_factory=list)
     score: SocketScore
@@ -158,6 +165,8 @@ class Package():
             name=data["name"],
             version=data["version"],
             type=data["type"],
+            release=data.get("release"),
+            diffType=data.get("diffType"),
             score=data["score"],
             alerts=data["alerts"],
             author=data.get("author", []),
@@ -187,10 +196,36 @@ class Package():
         Raises:
             ValueError: If reference data cannot be found in DiffArtifact
         """
+        diff_type = data.get("diffType")
+        if hasattr(diff_type, "value"):
+            diff_type = diff_type.value
+
+        # Newer API responses may provide flattened diff artifacts without refs.
+        if "topLevelAncestors" in data or (not data.get("head") and not data.get("base")):
+            return cls(
+                id=data["id"],
+                name=data["name"],
+                version=data["version"],
+                type=data["type"],
+                score=data.get("score", data.get("scores", {})),
+                alerts=data.get("alerts", []),
+                author=data.get("author", []),
+                size=data.get("size"),
+                license=data.get("license"),
+                topLevelAncestors=data.get("topLevelAncestors", []),
+                direct=data.get("direct", True),
+                manifestFiles=data.get("manifestFiles", []),
+                dependencies=data.get("dependencies"),
+                artifact=data.get("artifact"),
+                namespace=data.get("namespace"),
+                release=data.get("release"),
+                diffType=diff_type,
+            )
+
         ref = None
-        if data["diffType"] in ["added", "updated", "unchanged"] and data.get("head"):
+        if diff_type in ["added", "updated", "unchanged"] and data.get("head"):
             ref = data["head"][0]
-        elif data["diffType"] in ["removed", "replaced"] and data.get("base"):
+        elif diff_type in ["removed", "replaced"] and data.get("base"):
             ref = data["base"][0]
 
         if not ref:
@@ -201,8 +236,8 @@ class Package():
             name=data["name"],
             version=data["version"],
             type=data["type"],
-            score=data["score"],
-            alerts=data["alerts"],
+            score=data.get("score", data.get("scores", {})),
+            alerts=data.get("alerts", []),
             author=data.get("author", []),
             size=data.get("size"),
             license=data.get("license"),
@@ -213,7 +248,7 @@ class Package():
             artifact=ref.get("artifact"),
             namespace=data.get('namespace', None),
             release=ref.get("release", None),
-            diffType=ref.get("diffType", None),
+            diffType=ref.get("diffType", diff_type),
         )
 
 class Issue:

{socketsecurity-2.2.75 → socketsecurity-2.2.77}/socketsecurity/output.py

@@ -58,12 +58,20 @@ class OutputHandler:
             slack_url = "Not configured"
             if self.config.slack_plugin.config and self.config.slack_plugin.config.get("url"):
                 slack_url = self.config.slack_plugin.config.get("url")
+            slack_mode = (self.config.slack_plugin.config or {}).get("mode", "webhook")
+            bot_token = os.getenv("SOCKET_SLACK_BOT_TOKEN")
+            bot_token_status = "Set" if bot_token else "Not set"
             self.logger.debug("=== Slack Webhook Debug Information ===")
             self.logger.debug(f"Slack Plugin Enabled: {self.config.slack_plugin.enabled}")
+            self.logger.debug(f"Slack Mode: {slack_mode}")
             self.logger.debug(f"SOCKET_SLACK_ENABLED environment variable: {slack_enabled_env}")
             self.logger.debug(f"SOCKET_SLACK_CONFIG_JSON environment variable: {slack_config_env}")
             self.logger.debug(f"Slack Webhook URL: {slack_url}")
+            self.logger.debug(f"SOCKET_SLACK_BOT_TOKEN: {bot_token_status}")
             self.logger.debug(f"Slack Alert Levels: {self.config.slack_plugin.levels}")
+            if self.config.reach:
+                facts_path = os.path.join(self.config.target_path or ".", self.config.reach_output_file or ".socket.facts.json")
+                self.logger.debug(f"Reachability facts file: {facts_path} (exists: {os.path.exists(facts_path)})")
             self.logger.debug("=====================================")
 
         if self.config.slack_plugin.enabled:
@@ -139,14 +147,38 @@ class OutputHandler:
     def output_console_sarif(self, diff_report: Diff, sbom_file_name: Optional[str] = None) -> None:
         """
         Generate SARIF output from the diff report and print to console.
+        If --sarif-file is configured, also save to file.
+        If --sarif-reachable-only is set, filters to blocking (reachable) alerts only.
         """
         if diff_report.id != "NO_DIFF_RAN":
+            # When --sarif-reachable-only is set, filter to error=True alerts only.
+            # This mirrors the Slack plugin's reachability_alerts_only behaviou:
+            # when --reach is used, error=True reflects Socket's reachability-aware policy.
+            if self.config.sarif_reachable_only:
+                filtered_alerts = [a for a in diff_report.new_alerts if getattr(a, "error", False)]
+                diff_report = Diff(
+                    new_alerts=filtered_alerts,
+                    diff_url=getattr(diff_report, "diff_url", ""),
+                    new_packages=getattr(diff_report, "new_packages", []),
+                    removed_packages=getattr(diff_report, "removed_packages", []),
+                    packages=getattr(diff_report, "packages", {}),
+                )
+                diff_report.id = "filtered"
+
             # Generate the SARIF structure using Messages
             console_security_comment = Messages.create_security_comment_sarif(diff_report)
             self.save_sbom_file(diff_report, sbom_file_name)
             # Print the SARIF output to the console in JSON format
             print(json.dumps(console_security_comment, indent=2))
 
+            # Save to file if --sarif-file is specified
+            if self.config.sarif_file:
+                sarif_path = Path(self.config.sarif_file)
+                sarif_path.parent.mkdir(parents=True, exist_ok=True)
+                with open(sarif_path, "w") as f:
+                    json.dump(console_security_comment, f, indent=2)
+                self.logger.info(f"SARIF report saved to {self.config.sarif_file}")
+
     def report_pass(self, diff_report: Diff) -> bool:
         """Determines if the report passes security checks"""
         # Priority 1: --disable-blocking always passes

{socketsecurity-2.2.75 → socketsecurity-2.2.77}/socketsecurity/plugins/slack.py

@@ -135,18 +135,20 @@ class SlackPlugin(Plugin):
         if not bot_token:
             logger.error("SOCKET_SLACK_BOT_TOKEN environment variable not set for bot mode.")
             return
-        
+
         if not bot_token.startswith("xoxb-"):
             logger.error("SOCKET_SLACK_BOT_TOKEN must start with 'xoxb-' (Bot User OAuth Token).")
             return
-        
+
+        logger.debug("SOCKET_SLACK_BOT_TOKEN: Set (valid xoxb- format)")
+
         # Get bot_configs from configuration
         bot_configs = self.config.get("bot_configs", [])
-        
+
         if not bot_configs:
             logger.warning("No bot_configs configured for bot mode.")
             return
-        
+
         logger.debug("Slack Plugin Enabled (bot mode)")
         logger.debug("Alert levels: %s", self.config.get("levels"))
         logger.debug(f"Number of bot_configs: {len(bot_configs)}")
@@ -212,29 +214,35 @@ class SlackPlugin(Plugin):
         """Send reachability alerts using bot mode with Slack API."""
         # Construct path to socket facts file
         facts_file_path = os.path.join(config.target_path or ".", f"{config.reach_output_file}")
-        logger.debug(f"Loading reachability data from {facts_file_path}")
-        
+        facts_file_exists = os.path.exists(facts_file_path)
+        logger.debug(f"Loading reachability data from {facts_file_path} (exists: {facts_file_exists})")
+
+        if not facts_file_exists:
+            logger.error(f"Reachability facts file not found: {facts_file_path} — was --reach run successfully?")
+            return
+
         # Load socket facts file
         facts_data = load_socket_facts(facts_file_path)
-        
+
         if not facts_data:
-            logger.debug("No .socket.facts.json file found or failed to load")
+            logger.error(f"Failed to load or parse reachability facts file: {facts_file_path}")
             return
-        
+
         # Get components with vulnerabilities
         components_with_vulns = get_components_with_vulnerabilities(facts_data)
-        
+        logger.debug(f"Components with vulnerabilities in facts file: {len(components_with_vulns) if components_with_vulns else 0}")
+
         if not components_with_vulns:
             logger.debug("No components with vulnerabilities found in .socket.facts.json")
             return
-        
+
         # Convert to alerts format
         components_with_alerts = convert_to_alerts(components_with_vulns)
-        
+
         if not components_with_alerts:
             logger.debug("No alerts generated from .socket.facts.json")
             return
-        
+
         logger.debug(f"Found {len(components_with_alerts)} components with reachability alerts")
         
         # Send to each configured bot_config with filtering
@@ -265,10 +273,12 @@ class SlackPlugin(Plugin):
                     filtered_component['alerts'] = filtered_component_alerts
                     filtered_components.append(filtered_component)
             
+            logger.debug(f"Bot config '{name}': {len(filtered_components)} components after severity filter {bot_config.get('severities', '(all)')}")
+
             if not filtered_components:
                 logger.debug(f"No reachability alerts match filter criteria for bot_config '{name}'. Skipping.")
                 continue
-            
+
             # Format for Slack using the formatter (max 45 blocks for findings + 5 for header/footer)
             slack_notifications = format_socket_facts_for_slack(
                 filtered_components,