socketsecurity 2.2.8__tar.gz → 2.2.18__tar.gz

{socketsecurity-2.2.8 → socketsecurity-2.2.18}/.github/workflows/pr-preview.yml

@@ -11,10 +11,10 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
         with:
           fetch-depth: 0
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
         with:
           python-version: '3.x'
 
@@ -43,14 +43,14 @@ jobs:
 
       - name: Publish to Test PyPI
         if: steps.version_check.outputs.exists != 'true'
-        uses: pypa/gh-action-pypi-publish@v1.12.4
+        uses: pypa/gh-action-pypi-publish@ab69e431e9c9f48a3310be0a56527c679f56e04d
         with:
           repository-url: https://test.pypi.org/legacy/
           verbose: true
 
       - name: Comment on PR
         if: steps.version_check.outputs.exists != 'true'
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
         env:
           VERSION: ${{ env.VERSION }}
         with:
@@ -120,21 +120,21 @@ jobs:
           exit 1
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349
 
       - name: Login to Docker Hub with Organization Token
         if: steps.verify_package.outputs.success == 'true'
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build & Push Docker Preview
         if: steps.verify_package.outputs.success == 'true'
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
         env:
           VERSION: ${{ env.VERSION }}
         with:

{socketsecurity-2.2.8 → socketsecurity-2.2.18}/.github/workflows/release.yml

@@ -10,10 +10,10 @@ jobs:
       id-token: write
       contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
         with:
           fetch-depth: 0
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
         with:
           python-version: '3.x'
 
@@ -66,16 +66,16 @@ jobs:
 
       - name: Publish to PyPI
         if: steps.version_check.outputs.pypi_exists != 'true'
-        uses: pypa/gh-action-pypi-publish@v1.12.4
+        uses: pypa/gh-action-pypi-publish@ab69e431e9c9f48a3310be0a56527c679f56e04d
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349
 
       - name: Login to Docker Hub with Organization Token
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -102,7 +102,7 @@ jobs:
         if: |
           steps.verify_package.outputs.success == 'true' &&
           steps.docker_check.outputs.docker_exists != 'true'
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
         env:
           VERSION: ${{ env.VERSION }}
         with:

{socketsecurity-2.2.8 → socketsecurity-2.2.18}/.github/workflows/version-check.yml

@@ -11,7 +11,7 @@ jobs:
   check_version:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
         with:
           fetch-depth: 0  # Fetch all history for all branches
 
@@ -39,7 +39,7 @@ jobs:
           "
 
       - name: Manage PR Comment
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
         if: always()
         env:
           MAIN_VERSION: ${{ env.MAIN_VERSION }}

{socketsecurity-2.2.8 → socketsecurity-2.2.18}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: socketsecurity
-Version: 2.2.8
+Version: 2.2.18
 Summary: Socket Security CLI for CI/CD
 Project-URL: Homepage, https://socket.dev
 Author-email: Douglas Coburn <douglas@socket.dev>
@@ -33,13 +33,14 @@ Classifier: Intended Audience :: Developers
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Requires-Python: >=3.10
+Requires-Dist: bs4>=0.0.2
 Requires-Dist: gitpython
 Requires-Dist: mdutils
 Requires-Dist: packaging
 Requires-Dist: prettytable
 Requires-Dist: python-dotenv
 Requires-Dist: requests
-Requires-Dist: socketdev<4.0.0,>=3.0.5
+Requires-Dist: socketdev<4.0.0,>=3.0.6
 Provides-Extra: dev
 Requires-Dist: hatch; extra == 'dev'
 Requires-Dist: pre-commit; extra == 'dev'
@@ -97,15 +98,64 @@ Pre-configured workflow examples are available in the [`workflows/`](workflows/)
 
 These examples are production-ready and include best practices for each platform.
 
+## Monorepo Workspace Support
+
+The Socket CLI supports scanning specific workspaces within monorepo structures while preserving git context from the repository root. This is useful for organizations that maintain multiple applications or services in a single repository.
+
+### Key Features
+
+- **Multiple Sub-paths**: Specify multiple `--sub-path` options to scan different directories within your monorepo
+- **Combined Workspace**: All sub-paths are scanned together as a single workspace in Socket
+- **Git Context Preserved**: Repository metadata (commits, branches, etc.) comes from the main target-path
+- **Workspace Naming**: Use `--workspace-name` to differentiate scans from different parts of your monorepo
+
+### Usage Examples
+
+**Scan multiple frontend and backend workspaces:**
+```bash
+socketcli --target-path /path/to/monorepo \
+          --sub-path frontend \
+          --sub-path backend \
+          --sub-path services/api \
+          --workspace-name main-app
+```
+
+**GitHub Actions for monorepo workspace:**
+```bash
+socketcli --target-path $GITHUB_WORKSPACE \
+          --sub-path packages/web \
+          --sub-path packages/mobile \
+          --workspace-name mobile-web \
+          --scm github \
+          --pr-number $PR_NUMBER
+```
+
+This will:
+- Scan manifest files in `./packages/web/` and `./packages/mobile/`
+- Combine them into a single workspace scan
+- Create a repository in Socket named like `my-repo-mobile-web`
+- Preserve git context (commits, branch info) from the repository root
+
+### Requirements
+
+- Both `--sub-path` and `--workspace-name` must be specified together
+- `--sub-path` can be used multiple times to include multiple directories
+- All specified sub-paths must exist within the target-path
+
 ## Usage
 
 ```` shell
-socketcli [-h] [--api-token API_TOKEN] [--repo REPO] [--integration {api,github,gitlab}] [--owner OWNER] [--branch BRANCH]
-          [--committers [COMMITTERS ...]] [--pr-number PR_NUMBER] [--commit-message COMMIT_MESSAGE] [--commit-sha COMMIT_SHA]
-          [--target-path TARGET_PATH] [--sbom-file SBOM_FILE] [--files FILES] [--save-submitted-files-list SAVE_SUBMITTED_FILES_LIST]
-          [--default-branch] [--pending-head] [--generate-license] [--enable-debug] [--enable-json] [--enable-sarif] 
-          [--disable-overview] [--disable-security-issue] [--allow-unverified] [--ignore-commit-files] [--disable-blocking] 
-          [--scm SCM] [--timeout TIMEOUT] [--exclude-license-details]
+socketcli [-h] [--api-token API_TOKEN] [--repo REPO] [--repo-is-public] [--branch BRANCH] [--integration {api,github,gitlab,azure,bitbucket}] 
+          [--owner OWNER] [--pr-number PR_NUMBER] [--commit-message COMMIT_MESSAGE] [--commit-sha COMMIT_SHA] [--committers [COMMITTERS ...]] 
+          [--target-path TARGET_PATH] [--sbom-file SBOM_FILE] [--license-file-name LICENSE_FILE_NAME] [--save-submitted-files-list SAVE_SUBMITTED_FILES_LIST]
+          [--save-manifest-tar SAVE_MANIFEST_TAR] [--files FILES] [--sub-path SUB_PATH] [--workspace-name WORKSPACE_NAME] 
+          [--excluded-ecosystems EXCLUDED_ECOSYSTEMS] [--default-branch] [--pending-head] [--generate-license] [--enable-debug] 
+          [--enable-json] [--enable-sarif] [--disable-overview] [--exclude-license-details] [--allow-unverified] [--disable-security-issue] 
+          [--ignore-commit-files] [--disable-blocking] [--enable-diff] [--scm SCM] [--timeout TIMEOUT] [--include-module-folders] 
+          [--reach] [--reach-version REACH_VERSION] [--reach-analysis-timeout REACH_ANALYSIS_TIMEOUT] 
+          [--reach-analysis-memory-limit REACH_ANALYSIS_MEMORY_LIMIT] [--reach-ecosystems REACH_ECOSYSTEMS] [--reach-exclude-paths REACH_EXCLUDE_PATHS]
+          [--reach-min-severity {low,medium,high,critical}] [--reach-skip-cache] [--reach-disable-analytics] [--reach-output-file REACH_OUTPUT_FILE]
+          [--only-facts-file] [--version]
 ````
 
 If you don't want to provide the Socket API Token every time then you can use the environment variable `SOCKET_SECURITY_API_KEY`
@@ -121,11 +171,11 @@ If you don't want to provide the Socket API Token every time then you can use th
 | Parameter        | Required | Default | Description                                                             |
 |:-----------------|:---------|:--------|:------------------------------------------------------------------------|
 | --repo           | False    | *auto*  | Repository name in owner/repo format (auto-detected from git remote)   |
-| --integration    | False    | api     | Integration type (api, github, gitlab)                                  |
+| --repo-is-public | False    | False   | If set, flags a new repository creation as public. Defaults to false.   |
+| --integration    | False    | api     | Integration type (api, github, gitlab, azure, bitbucket)                |
 | --owner          | False    |         | Name of the integration owner, defaults to the socket organization slug |
 | --branch         | False    | *auto*  | Branch name (auto-detected from git)                                   |
 | --committers     | False    | *auto*  | Committer(s) to filter by (auto-detected from git commit)              |
-| --repo-is-public | False    | False   | If set, flags a new repository creation as public. Defaults to false.   |
 
 #### Pull Request and Commit
 | Parameter        | Required | Default | Description                                    |
@@ -139,17 +189,20 @@ If you don't want to provide the Socket API Token every time then you can use th
 |:----------------------------|:---------|:----------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | --target-path               | False    | ./                    | Target path for analysis                                                                                                                                                         |
 | --sbom-file                 | False    |                       | SBOM file path                                                                                                                                                                   |
-| --files                     | False    | *auto*                | Files to analyze (JSON array string). Auto-detected from git commit changes when not specified                                                                                   |
-| --excluded-ecosystems       | False    | []                    | List of ecosystems to exclude from analysis (JSON array string). You can get supported files from the [Supported Files API](https://docs.socket.dev/reference/getsupportedfiles) |
 | --license-file-name         | False    | `license_output.json` | Name of the file to save the license details to if enabled                                                                                                                       |
 | --save-submitted-files-list | False    |                       | Save list of submitted file names to JSON file for debugging purposes                                                                                                            |
 | --save-manifest-tar         | False    |                       | Save all manifest files to a compressed tar.gz archive with original directory structure                                                                                         |
+| --files                     | False    | *auto*                | Files to analyze (JSON array string). Auto-detected from git commit changes when not specified                                                                                   |
+| --sub-path                  | False    |                       | Sub-path within target-path for manifest file scanning (can be specified multiple times). All sub-paths are combined into a single workspace scan while preserving git context from target-path. Must be used with --workspace-name |
+| --workspace-name            | False    |                       | Workspace name suffix to append to repository name (repo-name-workspace_name). Must be used with --sub-path                                                                     |
+| --excluded-ecosystems       | False    | []                    | List of ecosystems to exclude from analysis (JSON array string). You can get supported files from the [Supported Files API](https://docs.socket.dev/reference/getsupportedfiles) |
 
 #### Branch and Scan Configuration
-| Parameter        | Required | Default | Description                                                                                           |
-|:-----------------|:---------|:--------|:------------------------------------------------------------------------------------------------------|
-| --default-branch | False    | *auto*  | Make this branch the default branch (auto-detected from git and CI environment when not specified)   |
-| --pending-head   | False    | *auto*  | If true, the new scan will be set as the branch's head scan (automatically synced with default-branch) |
+| Parameter                | Required | Default | Description                                                                                           |
+|:-------------------------|:---------|:--------|:------------------------------------------------------------------------------------------------------|
+| --default-branch         | False    | *auto*  | Make this branch the default branch (auto-detected from git and CI environment when not specified)   |
+| --pending-head           | False    | *auto*  | If true, the new scan will be set as the branch's head scan (automatically synced with default-branch) |
+| --include-module-folders | False    | False   | If enabled will include manifest files from folders like node_modules                                |
 
 #### Output Configuration
 | Parameter                 | Required | Default | Description                                                                       |
@@ -160,6 +213,7 @@ If you don't want to provide the Socket API Token every time then you can use th
 | --enable-sarif            | False    | False   | Enable SARIF output of results instead of table or JSON format                    |
 | --disable-overview        | False    | False   | Disable overview output                                                           |
 | --exclude-license-details | False    | False   | Exclude license details from the diff report (boosts performance for large repos) |
+| --version                 | False    | False   | Show program's version number and exit                                            |
 
 #### Security Configuration
 | Parameter                | Required | Default | Description                   |
@@ -167,6 +221,28 @@ If you don't want to provide the Socket API Token every time then you can use th
 | --allow-unverified       | False    | False   | Allow unverified packages     |
 | --disable-security-issue | False    | False   | Disable security issue checks |
 
+#### Reachability Analysis
+| Parameter                        | Required | Default | Description                                                                                                                |
+|:---------------------------------|:---------|:--------|:---------------------------------------------------------------------------------------------------------------------------|
+| --reach                          | False    | False   | Enable reachability analysis to identify which vulnerable functions are actually called by your code                       |
+| --reach-version                  | False    | latest  | Version of @coana-tech/cli to use for analysis                                                                             |
+| --reach-analysis-timeout         | False    | 1200    | Timeout in seconds for the reachability analysis (default: 1200 seconds / 20 minutes)                                      |
+| --reach-analysis-memory-limit    | False    | 4096    | Memory limit in MB for the reachability analysis (default: 4096 MB / 4 GB)                                                 |
+| --reach-ecosystems               | False    |         | Comma-separated list of ecosystems to analyze (e.g., "npm,pypi"). If not specified, all supported ecosystems are analyzed  |
+| --reach-exclude-paths            | False    |         | Comma-separated list of file paths or patterns to exclude from reachability analysis                                       |
+| --reach-min-severity             | False    |         | Minimum severity level for reporting reachability results (low, medium, high, critical)                                    |
+| --reach-skip-cache               | False    | False   | Skip cache and force fresh reachability analysis                                                                           |
+| --reach-disable-analytics        | False    | False   | Disable analytics collection during reachability analysis                                                                  |
+| --reach-output-file              | False    | .socket.facts.json | Path where reachability analysis results should be saved                                                        |
+| --only-facts-file                | False    | False   | Submit only the .socket.facts.json file to an existing scan (requires --reach and a prior scan)                            |
+
+**Reachability Analysis Requirements:**
+- `npm` - Required to install and run @coana-tech/cli
+- `npx` - Required to execute @coana-tech/cli
+- `uv` - Required for Python environment management
+
+The CLI will automatically install @coana-tech/cli if not present. Use `--reach` to enable reachability analysis during a full scan, or use `--only-facts-file` with `--reach` to submit reachability results to an existing scan.
+
 #### Advanced Configuration
 | Parameter                | Required | Default | Description                                                           |
 |:-------------------------|:---------|:--------|:----------------------------------------------------------------------|
@@ -175,7 +251,6 @@ If you don't want to provide the Socket API Token every time then you can use th
 | --enable-diff            | False    | False   | Enable diff mode even when using --integration api (forces diff mode without SCM integration) |
 | --scm                    | False    | api     | Source control management type                                        |
 | --timeout                | False    |         | Timeout in seconds for API requests                                   |
-| --include-module-folders | False    | False   | If enabled will include manifest files from folders like node_modules |
 
 #### Plugins
 

{socketsecurity-2.2.8 → socketsecurity-2.2.18}/README.md

@@ -41,15 +41,64 @@ Pre-configured workflow examples are available in the [`workflows/`](workflows/)
 
 These examples are production-ready and include best practices for each platform.
 
+## Monorepo Workspace Support
+
+The Socket CLI supports scanning specific workspaces within monorepo structures while preserving git context from the repository root. This is useful for organizations that maintain multiple applications or services in a single repository.
+
+### Key Features
+
+- **Multiple Sub-paths**: Specify multiple `--sub-path` options to scan different directories within your monorepo
+- **Combined Workspace**: All sub-paths are scanned together as a single workspace in Socket
+- **Git Context Preserved**: Repository metadata (commits, branches, etc.) comes from the main target-path
+- **Workspace Naming**: Use `--workspace-name` to differentiate scans from different parts of your monorepo
+
+### Usage Examples
+
+**Scan multiple frontend and backend workspaces:**
+```bash
+socketcli --target-path /path/to/monorepo \
+          --sub-path frontend \
+          --sub-path backend \
+          --sub-path services/api \
+          --workspace-name main-app
+```
+
+**GitHub Actions for monorepo workspace:**
+```bash
+socketcli --target-path $GITHUB_WORKSPACE \
+          --sub-path packages/web \
+          --sub-path packages/mobile \
+          --workspace-name mobile-web \
+          --scm github \
+          --pr-number $PR_NUMBER
+```
+
+This will:
+- Scan manifest files in `./packages/web/` and `./packages/mobile/`
+- Combine them into a single workspace scan
+- Create a repository in Socket named like `my-repo-mobile-web`
+- Preserve git context (commits, branch info) from the repository root
+
+### Requirements
+
+- Both `--sub-path` and `--workspace-name` must be specified together
+- `--sub-path` can be used multiple times to include multiple directories
+- All specified sub-paths must exist within the target-path
+
 ## Usage
 
 ```` shell
-socketcli [-h] [--api-token API_TOKEN] [--repo REPO] [--integration {api,github,gitlab}] [--owner OWNER] [--branch BRANCH]
-          [--committers [COMMITTERS ...]] [--pr-number PR_NUMBER] [--commit-message COMMIT_MESSAGE] [--commit-sha COMMIT_SHA]
-          [--target-path TARGET_PATH] [--sbom-file SBOM_FILE] [--files FILES] [--save-submitted-files-list SAVE_SUBMITTED_FILES_LIST]
-          [--default-branch] [--pending-head] [--generate-license] [--enable-debug] [--enable-json] [--enable-sarif] 
-          [--disable-overview] [--disable-security-issue] [--allow-unverified] [--ignore-commit-files] [--disable-blocking] 
-          [--scm SCM] [--timeout TIMEOUT] [--exclude-license-details]
+socketcli [-h] [--api-token API_TOKEN] [--repo REPO] [--repo-is-public] [--branch BRANCH] [--integration {api,github,gitlab,azure,bitbucket}] 
+          [--owner OWNER] [--pr-number PR_NUMBER] [--commit-message COMMIT_MESSAGE] [--commit-sha COMMIT_SHA] [--committers [COMMITTERS ...]] 
+          [--target-path TARGET_PATH] [--sbom-file SBOM_FILE] [--license-file-name LICENSE_FILE_NAME] [--save-submitted-files-list SAVE_SUBMITTED_FILES_LIST]
+          [--save-manifest-tar SAVE_MANIFEST_TAR] [--files FILES] [--sub-path SUB_PATH] [--workspace-name WORKSPACE_NAME] 
+          [--excluded-ecosystems EXCLUDED_ECOSYSTEMS] [--default-branch] [--pending-head] [--generate-license] [--enable-debug] 
+          [--enable-json] [--enable-sarif] [--disable-overview] [--exclude-license-details] [--allow-unverified] [--disable-security-issue] 
+          [--ignore-commit-files] [--disable-blocking] [--enable-diff] [--scm SCM] [--timeout TIMEOUT] [--include-module-folders] 
+          [--reach] [--reach-version REACH_VERSION] [--reach-analysis-timeout REACH_ANALYSIS_TIMEOUT] 
+          [--reach-analysis-memory-limit REACH_ANALYSIS_MEMORY_LIMIT] [--reach-ecosystems REACH_ECOSYSTEMS] [--reach-exclude-paths REACH_EXCLUDE_PATHS]
+          [--reach-min-severity {low,medium,high,critical}] [--reach-skip-cache] [--reach-disable-analytics] [--reach-output-file REACH_OUTPUT_FILE]
+          [--only-facts-file] [--version]
 ````
 
 If you don't want to provide the Socket API Token every time then you can use the environment variable `SOCKET_SECURITY_API_KEY`
@@ -65,11 +114,11 @@ If you don't want to provide the Socket API Token every time then you can use th
 | Parameter        | Required | Default | Description                                                             |
 |:-----------------|:---------|:--------|:------------------------------------------------------------------------|
 | --repo           | False    | *auto*  | Repository name in owner/repo format (auto-detected from git remote)   |
-| --integration    | False    | api     | Integration type (api, github, gitlab)                                  |
+| --repo-is-public | False    | False   | If set, flags a new repository creation as public. Defaults to false.   |
+| --integration    | False    | api     | Integration type (api, github, gitlab, azure, bitbucket)                |
 | --owner          | False    |         | Name of the integration owner, defaults to the socket organization slug |
 | --branch         | False    | *auto*  | Branch name (auto-detected from git)                                   |
 | --committers     | False    | *auto*  | Committer(s) to filter by (auto-detected from git commit)              |
-| --repo-is-public | False    | False   | If set, flags a new repository creation as public. Defaults to false.   |
 
 #### Pull Request and Commit
 | Parameter        | Required | Default | Description                                    |
@@ -83,17 +132,20 @@ If you don't want to provide the Socket API Token every time then you can use th
 |:----------------------------|:---------|:----------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | --target-path               | False    | ./                    | Target path for analysis                                                                                                                                                         |
 | --sbom-file                 | False    |                       | SBOM file path                                                                                                                                                                   |
-| --files                     | False    | *auto*                | Files to analyze (JSON array string). Auto-detected from git commit changes when not specified                                                                                   |
-| --excluded-ecosystems       | False    | []                    | List of ecosystems to exclude from analysis (JSON array string). You can get supported files from the [Supported Files API](https://docs.socket.dev/reference/getsupportedfiles) |
 | --license-file-name         | False    | `license_output.json` | Name of the file to save the license details to if enabled                                                                                                                       |
 | --save-submitted-files-list | False    |                       | Save list of submitted file names to JSON file for debugging purposes                                                                                                            |
 | --save-manifest-tar         | False    |                       | Save all manifest files to a compressed tar.gz archive with original directory structure                                                                                         |
+| --files                     | False    | *auto*                | Files to analyze (JSON array string). Auto-detected from git commit changes when not specified                                                                                   |
+| --sub-path                  | False    |                       | Sub-path within target-path for manifest file scanning (can be specified multiple times). All sub-paths are combined into a single workspace scan while preserving git context from target-path. Must be used with --workspace-name |
+| --workspace-name            | False    |                       | Workspace name suffix to append to repository name (repo-name-workspace_name). Must be used with --sub-path                                                                     |
+| --excluded-ecosystems       | False    | []                    | List of ecosystems to exclude from analysis (JSON array string). You can get supported files from the [Supported Files API](https://docs.socket.dev/reference/getsupportedfiles) |
 
 #### Branch and Scan Configuration
-| Parameter        | Required | Default | Description                                                                                           |
-|:-----------------|:---------|:--------|:------------------------------------------------------------------------------------------------------|
-| --default-branch | False    | *auto*  | Make this branch the default branch (auto-detected from git and CI environment when not specified)   |
-| --pending-head   | False    | *auto*  | If true, the new scan will be set as the branch's head scan (automatically synced with default-branch) |
+| Parameter                | Required | Default | Description                                                                                           |
+|:-------------------------|:---------|:--------|:------------------------------------------------------------------------------------------------------|
+| --default-branch         | False    | *auto*  | Make this branch the default branch (auto-detected from git and CI environment when not specified)   |
+| --pending-head           | False    | *auto*  | If true, the new scan will be set as the branch's head scan (automatically synced with default-branch) |
+| --include-module-folders | False    | False   | If enabled will include manifest files from folders like node_modules                                |
 
 #### Output Configuration
 | Parameter                 | Required | Default | Description                                                                       |
@@ -104,6 +156,7 @@ If you don't want to provide the Socket API Token every time then you can use th
 | --enable-sarif            | False    | False   | Enable SARIF output of results instead of table or JSON format                    |
 | --disable-overview        | False    | False   | Disable overview output                                                           |
 | --exclude-license-details | False    | False   | Exclude license details from the diff report (boosts performance for large repos) |
+| --version                 | False    | False   | Show program's version number and exit                                            |
 
 #### Security Configuration
 | Parameter                | Required | Default | Description                   |
@@ -111,6 +164,28 @@ If you don't want to provide the Socket API Token every time then you can use th
 | --allow-unverified       | False    | False   | Allow unverified packages     |
 | --disable-security-issue | False    | False   | Disable security issue checks |
 
+#### Reachability Analysis
+| Parameter                        | Required | Default | Description                                                                                                                |
+|:---------------------------------|:---------|:--------|:---------------------------------------------------------------------------------------------------------------------------|
+| --reach                          | False    | False   | Enable reachability analysis to identify which vulnerable functions are actually called by your code                       |
+| --reach-version                  | False    | latest  | Version of @coana-tech/cli to use for analysis                                                                             |
+| --reach-analysis-timeout         | False    | 1200    | Timeout in seconds for the reachability analysis (default: 1200 seconds / 20 minutes)                                      |
+| --reach-analysis-memory-limit    | False    | 4096    | Memory limit in MB for the reachability analysis (default: 4096 MB / 4 GB)                                                 |
+| --reach-ecosystems               | False    |         | Comma-separated list of ecosystems to analyze (e.g., "npm,pypi"). If not specified, all supported ecosystems are analyzed  |
+| --reach-exclude-paths            | False    |         | Comma-separated list of file paths or patterns to exclude from reachability analysis                                       |
+| --reach-min-severity             | False    |         | Minimum severity level for reporting reachability results (low, medium, high, critical)                                    |
+| --reach-skip-cache               | False    | False   | Skip cache and force fresh reachability analysis                                                                           |
+| --reach-disable-analytics        | False    | False   | Disable analytics collection during reachability analysis                                                                  |
+| --reach-output-file              | False    | .socket.facts.json | Path where reachability analysis results should be saved                                                        |
+| --only-facts-file                | False    | False   | Submit only the .socket.facts.json file to an existing scan (requires --reach and a prior scan)                            |
+
+**Reachability Analysis Requirements:**
+- `npm` - Required to install and run @coana-tech/cli
+- `npx` - Required to execute @coana-tech/cli
+- `uv` - Required for Python environment management
+
+The CLI will automatically install @coana-tech/cli if not present. Use `--reach` to enable reachability analysis during a full scan, or use `--only-facts-file` with `--reach` to submit reachability results to an existing scan.
+
 #### Advanced Configuration
 | Parameter                | Required | Default | Description                                                           |
 |:-------------------------|:---------|:--------|:----------------------------------------------------------------------|
@@ -119,7 +194,6 @@ If you don't want to provide the Socket API Token every time then you can use th
 | --enable-diff            | False    | False   | Enable diff mode even when using --integration api (forces diff mode without SCM integration) |
 | --scm                    | False    | api     | Source control management type                                        |
 | --timeout                | False    |         | Timeout in seconds for API requests                                   |
-| --include-module-folders | False    | False   | If enabled will include manifest files from folders like node_modules |
 
 #### Plugins
 

{socketsecurity-2.2.8 → socketsecurity-2.2.18}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.2.8"
+version = "2.2.18"
 requires-python = ">= 3.10"
 license = {"file" = "LICENSE"}
 dependencies = [
@@ -16,7 +16,8 @@ dependencies = [
     'GitPython',
     'packaging',
     'python-dotenv',
-    'socketdev>=3.0.5,<4.0.0'
+    'socketdev>=3.0.6,<4.0.0',
+    "bs4>=0.0.2",
 ]
 readme = "README.md"
 description = "Socket Security CLI for CI/CD"
@@ -158,4 +159,4 @@ docstring-code-format = false
 docstring-code-line-length = "dynamic"
 
 [tool.hatch.build.targets.wheel]
-include = ["socketsecurity", "LICENSE"]
+include = ["socketsecurity", "LICENSE"]

socketsecurity-2.2.18/socketsecurity/__init__.py

@@ -0,0 +1,3 @@
+__author__ = 'socket.dev'
+__version__ = '2.2.18'
+USER_AGENT = f'SocketPythonCLI/{__version__}'