PyPI - socketsecurity - Versions diffs - 2.2.93__tar.gz → 2.3.1__tar.gz - Mend

socketsecurity 2.2.93tar.gz → 2.3.1tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (137) hide show

{socketsecurity-2.2.93 → socketsecurity-2.3.1}/CHANGELOG.md RENAMED Viewed

@@ -1,5 +1,78 @@
 # Changelog
+## 2.3.1
+### New: brotli-compressed `.socket.facts.json` upload
+The reachability facts file (`.socket.facts.json`) is now brotli-compressed before it is
+uploaded as part of a full scan. The Socket API transparently decompresses any multipart
+part named exactly `.socket.facts.json.br` and stores it as plain `.socket.facts.json`, so
+the stored result is unchanged — but the on-the-wire payload shrinks dramatically (a
+~262 MB facts file compresses to roughly 15–30 MB).
+This fixes large tier‑1 reachability scans that previously failed when the uncompressed
+facts file exceeded the API's per‑file upload size cap (surfaced to the CLI as an HTTP
+4xx/“502”, leaving the scan stuck with no report).
+Details:
+- Compression happens at the upload boundary (`Core.create_full_scan`); the file on disk is
+  left untouched, so local consumers (SARIF/JSON output, tier‑1 finalize, alert selection)
+  continue to read the plain `.socket.facts.json`.
+- Only a file whose basename is exactly `.socket.facts.json` is compressed (the API matches
+  that exact name). A custom `--reach-output-file` name is uploaded uncompressed, as before.
+- Empty baseline-scan placeholder files are not compressed.
+- Compression never blocks an upload: if it fails for any reason it falls back to uploading
+  the plain file, and a partially-written `.socket.facts.json.br` is removed rather than
+  left behind in the target directory.
+- Adds a `brotli` (CPython) / `brotlicffi` (PyPy) dependency.
+## 2.3.0
+### New: `--exit-code-on-api-error`
+Adds a configurable exit code for API / infrastructure failures (timeouts,
+network errors, unexpected exceptions), so CI pipelines can distinguish them
+from blocking security findings (exit `1`):
+```
+socketcli --exit-code-on-api-error 100 ...
+```
+Default is `3` (the code the CLI already used for these errors), so **default
+behavior is unchanged** — the exit code only changes when you pass the flag.
+Set it to a Buildkite `soft_fail` code, or to `0` to swallow infra errors.
+**Interaction to be aware of:** `--disable-blocking` forces exit `0` for *all*
+outcomes and therefore overrides `--exit-code-on-api-error`. Use the new flag
+*without* `--disable-blocking` if you want a custom infra-error code to take
+effect. See the exit-code reference in the README.
+> A future `3.0` release is planned to make infrastructure errors exit non-zero
+> even under `--disable-blocking` (so outages stop being silently swallowed).
+> That is a breaking change and is intentionally **not** in this release.
+### New: commit message auto-truncation
+`--commit-message` values longer than 200 characters are now automatically
+truncated before being sent to the API, preventing HTTP 413 errors from
+oversized URL query parameters (common with AI-generated commit messages or
+`$BUILDKITE_MESSAGE`).
+### Improved: Buildkite log formatting
+When running inside a Buildkite job (`BUILDKITE=true`), infrastructure errors
+emit Buildkite log section markers (`^^^ +++` / `--- :warning:`) so the error
+section auto-expands in the BK UI, plus a `soft_fail` hint. No effect on other
+CI platforms.
+### Fixed
+- `--timeout` is now honored end-to-end: it was only applied to the local
+  `CliClient`, but the full-scan diff comparison uses the Socket SDK instance,
+  which was constructed without the CLI timeout and defaulted to 1200s.
+- `--exclude-license-details` now propagates to the full-scan diff comparison
+  request (it was only applied to full-scan params / report URLs before).
 ## 2.2.93
 - Bundled twelve Dependabot dependency updates: `urllib3`, `gitpython`, `python-dotenv`, `pytest`, `uv`, `cryptography`, `pygments`, `requests`, and `idna` (main app), plus `axios`, `requests`, and `flask` (e2e fixtures). `idna` 3.11 → 3.15 includes the fix for CVE-2026-45409.

{socketsecurity-2.2.93 → socketsecurity-2.3.1}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: socketsecurity
-Version: 2.2.93
+Version: 2.3.1
 Summary: Socket Security CLI for CI/CD
 Project-URL: Homepage, https://socket.dev
 Author-email: Douglas Coburn <douglas@socket.dev>
@@ -33,6 +33,8 @@ Classifier: Intended Audience :: Developers
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Requires-Python: >=3.11
+Requires-Dist: brotli>=1.0.9; platform_python_implementation == 'CPython'
+Requires-Dist: brotlicffi>=1.0.9; platform_python_implementation != 'CPython'
 Requires-Dist: bs4>=0.0.2
 Requires-Dist: gitpython
 Requires-Dist: markdown>=3.10
@@ -252,6 +254,48 @@ Minimal pattern:
     SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_SECURITY_API_TOKEN }}
 ```
+## Exit codes
+| Code | Meaning |
+|------|---------|
+| `0`  | Clean scan — no blocking issues (or `--disable-blocking` set) |
+| `1`  | Blocking security finding(s) detected |
+| `2`  | Scan interrupted (SIGINT / Ctrl+C) |
+| `3`  | Infrastructure or API error (timeout, network failure, unexpected error) |
+`--exit-code-on-api-error <N>` remaps the infrastructure-error code (`3`) to any
+value — e.g. a Buildkite `soft_fail` code, or `0` to swallow infra errors. Exit
+`3` is a Socket convention, not an industry standard.
+### How these options interact
+The two flags that affect exit codes can cancel each other out, so the order of
+precedence matters:
+- **`--disable-blocking` wins over everything.** It forces exit `0` for *all*
+  outcomes — security findings *and* infrastructure errors. If you set it,
+  `--exit-code-on-api-error` has no effect (you'll always get `0`).
+- **`--exit-code-on-api-error` only applies when `--disable-blocking` is *not*
+  set.** It changes the infra-error code (and the generic-error code); it never
+  touches the security-finding code (`1`).
+So for the common "don't let Socket outages block my pipeline, but still fail on
+real findings" goal, use `--exit-code-on-api-error` **without** `--disable-blocking`:
+```yaml
+# Buildkite: soft-fail only on infrastructure errors, still block on findings
+steps:
+  - label: ":lock: Socket Security Scan"
+    command: "socketcli --exit-code-on-api-error 100 ..."   # NOT --disable-blocking
+    soft_fail:
+      - exit_status: 100
+```
+Combining `--disable-blocking` with `--exit-code-on-api-error 100` would make the
+scan exit `0` on *both* findings and outages — the `soft_fail: 100` rule would
+never match, and real findings would stop blocking. That's usually not what you
+want.
 ## Common gotchas
 See [`docs/troubleshooting.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/troubleshooting.md#common-gotchas).

{socketsecurity-2.2.93 → socketsecurity-2.3.1}/README.md RENAMED Viewed

@@ -194,6 +194,48 @@ Minimal pattern:
     SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_SECURITY_API_TOKEN }}
 ```
+## Exit codes
+| Code | Meaning |
+|------|---------|
+| `0`  | Clean scan — no blocking issues (or `--disable-blocking` set) |
+| `1`  | Blocking security finding(s) detected |
+| `2`  | Scan interrupted (SIGINT / Ctrl+C) |
+| `3`  | Infrastructure or API error (timeout, network failure, unexpected error) |
+`--exit-code-on-api-error <N>` remaps the infrastructure-error code (`3`) to any
+value — e.g. a Buildkite `soft_fail` code, or `0` to swallow infra errors. Exit
+`3` is a Socket convention, not an industry standard.
+### How these options interact
+The two flags that affect exit codes can cancel each other out, so the order of
+precedence matters:
+- **`--disable-blocking` wins over everything.** It forces exit `0` for *all*
+  outcomes — security findings *and* infrastructure errors. If you set it,
+  `--exit-code-on-api-error` has no effect (you'll always get `0`).
+- **`--exit-code-on-api-error` only applies when `--disable-blocking` is *not*
+  set.** It changes the infra-error code (and the generic-error code); it never
+  touches the security-finding code (`1`).
+So for the common "don't let Socket outages block my pipeline, but still fail on
+real findings" goal, use `--exit-code-on-api-error` **without** `--disable-blocking`:
+```yaml
+# Buildkite: soft-fail only on infrastructure errors, still block on findings
+steps:
+  - label: ":lock: Socket Security Scan"
+    command: "socketcli --exit-code-on-api-error 100 ..."   # NOT --disable-blocking
+    soft_fail:
+      - exit_status: 100
+```
+Combining `--disable-blocking` with `--exit-code-on-api-error 100` would make the
+scan exit `0` on *both* findings and outages — the `soft_fail: 100` rule would
+never match, and real findings would stop blocking. That's usually not what you
+want.
 ## Common gotchas
 See [`docs/troubleshooting.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/troubleshooting.md#common-gotchas).

{socketsecurity-2.2.93 → socketsecurity-2.3.1}/pyproject.toml RENAMED Viewed

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 [project]
 name = "socketsecurity"
-version = "2.2.93"
+version = "2.3.1"
 requires-python = ">= 3.11"
 license = {"file" = "LICENSE"}
 dependencies = [
@@ -19,6 +19,8 @@ dependencies = [
     "socketdev>=3.0.33,<4.0.0",
     "bs4>=0.0.2",
     "markdown>=3.10",
+    "brotli>=1.0.9; platform_python_implementation == 'CPython'",
+    "brotlicffi>=1.0.9; platform_python_implementation != 'CPython'",
 ]
 readme = "README.md"
 description = "Socket Security CLI for CI/CD"

{socketsecurity-2.2.93 → socketsecurity-2.3.1}/socketsecurity/__init__.py RENAMED Viewed

@@ -1,3 +1,3 @@
 __author__ = 'socket.dev'
-__version__ = '2.2.93'
+__version__ = '2.3.1'
 USER_AGENT = f'SocketPythonCLI/{__version__}'

{socketsecurity-2.2.93 → socketsecurity-2.3.1}/socketsecurity/config.py RENAMED Viewed

@@ -101,6 +101,7 @@ class CliConfig:
     pending_head: bool = False
     enable_diff: bool = False
     timeout: Optional[int] = 1200
+    exit_code_on_api_error: int = 3
     exclude_license_details: bool = False
     include_module_folders: bool = False
     repo_is_public: bool = False
@@ -182,6 +183,19 @@ class CliConfig:
         if commit_message and commit_message.startswith('"') and commit_message.endswith('"'):
             commit_message = commit_message[1:-1]
+        # Truncate to avoid 413s from oversized URL query parameters.
+        # The API has no application-layer length validation on commit_message;
+        # the 413 originates from an infrastructure-layer URL length limit
+        # (nginx/Cloudflare). 200 chars chosen as a conservative ceiling given
+        # URL encoding can 2-3x raw character count.
+        MAX_COMMIT_MESSAGE_LENGTH = 200
+        if commit_message and len(commit_message) > MAX_COMMIT_MESSAGE_LENGTH:
+            logging.debug(
+                f"commit_message truncated from {len(commit_message)} to "
+                f"{MAX_COMMIT_MESSAGE_LENGTH} characters to avoid API request size limits"
+            )
+            commit_message = commit_message[:MAX_COMMIT_MESSAGE_LENGTH]
         config_args = {
             'api_token': api_token,
             'repo': args.repo,
@@ -219,6 +233,7 @@ class CliConfig:
             'integration_type': args.integration,
             'pending_head': args.pending_head,
             'timeout': args.timeout,
+            'exit_code_on_api_error': args.exit_code_on_api_error,
             'exclude_license_details': args.exclude_license_details,
             'include_module_folders': args.include_module_folders,
             'repo_is_public': args.repo_is_public,
@@ -802,6 +817,21 @@ def create_argument_parser() -> argparse.ArgumentParser:
         help="Timeout in seconds for API requests",
         required=False
     )
+    advanced_group.add_argument(
+        "--exit-code-on-api-error",
+        dest="exit_code_on_api_error",
+        type=int,
+        default=3,
+        metavar="<int>",
+        help=(
+            "Exit code to use when the CLI fails on an API or infrastructure error "
+            "(timeout, network failure, unexpected exception). Default: 3. Useful for "
+            "distinguishing infrastructure failures from security findings (exit 1) in "
+            "CI -- e.g. set to a Buildkite soft_fail code. NOTE: --disable-blocking "
+            "forces exit 0 for ALL outcomes and therefore overrides this flag; do not "
+            "combine the two if you want the custom code to take effect."
+        )
+    )
     advanced_group.add_argument(
         "--allow-unverified",
         action="store_true",

{socketsecurity-2.2.93 → socketsecurity-2.3.1}/socketsecurity/core/__init__.py RENAMED Viewed

@@ -51,6 +51,26 @@ _ALERT_TYPE_TITLE_OVERRIDES = {
 _HUMANIZE_BOUNDARY = re.compile(r"(?<=[a-z0-9])(?=[A-Z])|(?<=[A-Z])(?=[A-Z][a-z])")
+# Reachability facts-file upload compression.
+#
+# The Socket full-scan endpoint transparently brotli-decompresses any multipart part
+# whose basename is exactly ``.socket.facts.json.br`` and stores it as plain
+# ``.socket.facts.json``. Compressing the facts file on upload keeps it well under the
+# server's per-file size cap (a ~262 MB facts file compresses to roughly 15-30 MB),
+# which is required for large reachability (tier 1) scans to succeed.
+#
+# The server matches the *exact* name ``.socket.facts.json.br``, so we only compress
+# files whose basename is exactly ``.socket.facts.json`` (a custom ``--reach-output-file``
+# name would not be decompressed server-side, so it is left as a plain upload).
+SOCKET_FACTS_FILENAME = ".socket.facts.json"
+SOCKET_FACTS_BROTLI_FILENAME = ".socket.facts.json.br"
+# Brotli quality (0-11); 5 is a good speed/ratio tradeoff for large JSON payloads.
+SOCKET_FACTS_BROTLI_QUALITY = 5
+# Largest brotli window (2**24 bytes); improves the ratio on large facts files.
+SOCKET_FACTS_BROTLI_LGWIN = 24
+# Stream the facts file in 1 MiB chunks so large files aren't held fully in memory.
+SOCKET_FACTS_BROTLI_CHUNK_SIZE = 1024 * 1024
 def _humanize_alert_type(alert_type: str) -> str:
     """Convert a camelCase/PascalCase alert type into a Title-Cased label.
@@ -544,6 +564,102 @@ class Core:
             log.debug(f"Unable to finalize tier 1 scan: {e}")
             return False
+    @staticmethod
+    def _compress_facts_file(source_path: str) -> str:
+        """Brotli-compress a ``.socket.facts.json`` file to a sibling ``.socket.facts.json.br``.
+        The source is streamed in chunks so a large facts file (hundreds of MB) never has
+        to be held in memory at once. The compressed file is written next to the source so
+        that the multipart key the SDK derives keeps the same directory prefix, only with a
+        ``.br`` basename. Any existing ``.socket.facts.json.br`` sibling is overwritten, and a
+        partially-written output is removed if compression fails part-way through (e.g. the
+        disk fills up mid-stream) so no orphaned ``.br`` is left in the target directory.
+        Args:
+            source_path: Path to the plain ``.socket.facts.json`` file.
+        Returns:
+            Path to the compressed sibling file.
+        """
+        # Imported lazily so the dependency is only needed when actually uploading a facts
+        # file. brotlicffi is the API-compatible fallback used on PyPy / non-CPython runtimes.
+        try:
+            import brotli
+        except ImportError:
+            import brotlicffi as brotli
+        target_path = os.path.join(os.path.dirname(source_path), SOCKET_FACTS_BROTLI_FILENAME)
+        compressor = brotli.Compressor(
+            quality=SOCKET_FACTS_BROTLI_QUALITY,
+            lgwin=SOCKET_FACTS_BROTLI_LGWIN,
+        )
+        try:
+            with open(source_path, "rb") as src, open(target_path, "wb") as dst:
+                while True:
+                    chunk = src.read(SOCKET_FACTS_BROTLI_CHUNK_SIZE)
+                    if not chunk:
+                        break
+                    compressed = compressor.process(chunk)
+                    if compressed:
+                        dst.write(compressed)
+                dst.write(compressor.finish())
+        except BaseException:
+            # Don't leave a half-written .br behind for the caller to miss (it only tracks
+            # the path for cleanup once this returns). Remove it, then re-raise so the caller
+            # falls back to uploading the plain file.
+            try:
+                os.unlink(target_path)
+            except OSError:
+                pass
+            raise
+        return target_path
+    def _compress_facts_files_for_upload(self, files: List[str]) -> Tuple[List[str], List[str]]:
+        """Replace any ``.socket.facts.json`` upload entry with a brotli-compressed ``.br`` sibling.
+        The Socket full-scan endpoint transparently decompresses a multipart part named
+        exactly ``.socket.facts.json.br``, so compressing here keeps a large facts file under
+        the server's per-file size cap without changing the stored result. Files whose
+        basename is not exactly ``.socket.facts.json`` are left untouched (the server only
+        matches that exact name), as are empty placeholder files (e.g. baseline scans).
+        Compression never blocks an upload: if it fails for any reason (missing optional
+        ``brotli`` dependency, unwritable directory, etc.) the original plain file is used.
+        Args:
+            files: The list of file paths about to be uploaded.
+        Returns:
+            ``(upload_files, temp_paths)`` where ``upload_files`` is the possibly-rewritten
+            list to upload and ``temp_paths`` are compressed files the caller must delete
+            once the upload completes.
+        """
+        upload_files: List[str] = []
+        temp_paths: List[str] = []
+        for file_path in files:
+            try:
+                if (
+                    os.path.basename(file_path) == SOCKET_FACTS_FILENAME
+                    and os.path.isfile(file_path)
+                    and os.path.getsize(file_path) > 0
+                ):
+                    compressed_path = self._compress_facts_file(file_path)
+                    log.debug(
+                        f"Brotli-compressed {file_path} for upload: "
+                        f"{os.path.getsize(file_path)} -> {os.path.getsize(compressed_path)} bytes "
+                        f"(uploading as {SOCKET_FACTS_BROTLI_FILENAME})"
+                    )
+                    upload_files.append(compressed_path)
+                    temp_paths.append(compressed_path)
+                    continue
+            except Exception as e:
+                # Never let compression break an upload: fall back to the plain file.
+                log.warning(
+                    f"Failed to brotli-compress facts file {file_path}, uploading uncompressed: {e}"
+                )
+            upload_files.append(file_path)
+        return upload_files, temp_paths
     def create_full_scan(self, files: List[str], params: FullScanParams, base_paths: Optional[List[str]] = None) -> FullScan:
         """
         Creates a new full scan via the Socket API.
@@ -559,7 +675,19 @@ class Core:
         log.info("Creating new full scan")
         create_full_start = time.time()
-        res = self.sdk.fullscans.post(files, params, use_types=True, use_lazy_loading=True, max_open_files=50, base_paths=base_paths)
+        # Brotli-compress the reachability facts file (if present) so it is uploaded as a
+        # `.socket.facts.json.br` part. The API decompresses it server-side, keeping a large
+        # facts file under the per-file upload size cap. See _compress_facts_files_for_upload.
+        upload_files, compressed_temp_files = self._compress_facts_files_for_upload(files)
+        try:
+            res = self.sdk.fullscans.post(upload_files, params, use_types=True, use_lazy_loading=True, max_open_files=50, base_paths=base_paths)
+        finally:
+            for temp_file in compressed_temp_files:
+                try:
+                    os.unlink(temp_file)
+                    log.debug(f"Cleaned up temporary compressed facts file: {temp_file}")
+                except OSError as cleanup_error:
+                    log.debug(f"Failed to clean up temporary compressed facts file {temp_file}: {cleanup_error}")
         if not res.success:
             log.error(f"Error creating full scan: {res.message}, status: {res.status}")
             raise Exception(f"Error creating full scan: {res.message}, status: {res.status}")
@@ -941,7 +1069,8 @@ class Core:
     def get_added_and_removed_packages(
             self,
             head_full_scan_id: str,
-            new_full_scan_id: str
+            new_full_scan_id: str,
+            include_license_details: bool = True
     ) -> Tuple[Dict[str, Package], Dict[str, Package], Dict[str, Package]]:
         """
         Get packages that were added and removed between scans.
@@ -958,12 +1087,12 @@ class Core:
         diff_start = time.time()
         try:
             diff_report = (
-                self.sdk.fullscans.stream_diff
-                           (
+                self.sdk.fullscans.stream_diff(
                     self.config.org_slug,
                     head_full_scan_id,
                     new_full_scan_id,
-                    use_types=True
+                    use_types=True,
+                    include_license_details=str(include_license_details).lower()
                 ).data
             )
         except APIFailure as e:
@@ -1175,7 +1304,11 @@ class Core:
             added_packages,
             removed_packages,
             packages
-        ) = self.get_added_and_removed_packages(head_full_scan_id, new_full_scan.id)
+        ) = self.get_added_and_removed_packages(
+            head_full_scan_id,
+            new_full_scan.id,
+            include_license_details=getattr(params, "include_license_details", True)
+        )
         # Separate unchanged packages from added/removed for --strict-blocking support
         unchanged_packages = {

{socketsecurity-2.2.93 → socketsecurity-2.3.1}/socketsecurity/socketcli.py RENAMED Viewed

@@ -27,6 +27,37 @@ socket_logger, log = initialize_logging()
 load_dotenv()
+# Buildkite sets BUILDKITE=true in every job environment. Used to gate log
+# section markers that would render as literal text on other CI platforms.
+IS_BUILDKITE = os.getenv("BUILDKITE") == "true"
+def _emit_infrastructure_error(message: str, include_traceback: bool = False) -> None:
+    """Emit a structured error for infrastructure/API failures.
+    When running in Buildkite, wraps the error in log-section markers
+    (`^^^ +++` expands the section in the BK UI) and prints a soft_fail hint.
+    On every other platform it's a plain log.error so the markers don't leak
+    as literal text. This is presentation only -- it does not decide the exit
+    code (the caller does that, honoring --disable-blocking and
+    --exit-code-on-api-error).
+    """
+    if IS_BUILDKITE:
+        print("^^^ +++", flush=True)
+        print("--- :warning: Socket infrastructure error", flush=True)
+    log.error(message)
+    if IS_BUILDKITE:
+        log.error(
+            "Tip: this is an infrastructure error, not a security finding. To keep it "
+            "from blocking the build, add a soft_fail rule for the CLI's API-error exit "
+            "code (default 3, or whatever you pass to --exit-code-on-api-error)."
+        )
+    if include_traceback:
+        traceback.print_exc()
 def build_license_artifact_payload(
     diff: Diff,
@@ -62,6 +93,23 @@ def _write_attribution_file(config, payload: dict) -> None:
     Core.save_file(config.license_file_name, json.dumps(payload, indent=2))
+DEFAULT_API_TIMEOUT = 1200
+def get_api_request_timeout(config: CliConfig) -> int:
+    return config.timeout if config.timeout is not None else DEFAULT_API_TIMEOUT
+def build_socket_sdk(config: CliConfig) -> socketdev:
+    cli_user_agent_string = f"SocketPythonCLI/{config.version}"
+    return socketdev(
+        token=config.api_token,
+        timeout=get_api_request_timeout(config),
+        allow_unverified=config.allow_unverified,
+        user_agent=cli_user_agent_string
+    )
 def cli():
     try:
         main_code()
@@ -73,12 +121,17 @@ def cli():
         else:
             sys.exit(0)
     except Exception as error:
-        log.error("Unexpected error when running the cli")
-        log.error(error)
-        traceback.print_exc()
         config = CliConfig.from_args()  # Get current config
+        _emit_infrastructure_error(
+            f"Unexpected error when running the CLI: {error}",
+            include_traceback=True,
+        )
+        # --disable-blocking forces a clean exit for ALL outcomes (it takes
+        # precedence over --exit-code-on-api-error); otherwise infra/API errors
+        # exit with the configurable code (default 3), keeping them distinct
+        # from blocking security findings (exit 1).
         if not config.disable_blocking:
-            sys.exit(3)
+            sys.exit(config.exit_code_on_api_error)
         else:
             sys.exit(0)
@@ -99,8 +152,7 @@ def main_code():
                  "1. Command line: --api-token YOUR_TOKEN\n"
                  "2. Environment variable: SOCKET_SECURITY_API_TOKEN")
         sys.exit(3)
-    cli_user_agent_string = f"SocketPythonCLI/{config.version}"
-    sdk = socketdev(token=config.api_token, allow_unverified=config.allow_unverified, user_agent=cli_user_agent_string)
+    sdk = build_socket_sdk(config)
     # Suppress urllib3 InsecureRequestWarning when using --allow-unverified
     if config.allow_unverified:
@@ -119,7 +171,7 @@ def main_code():
     socket_config = SocketConfig(
         api_key=config.api_token,
         allow_unverified_ssl=config.allow_unverified,
-        timeout=config.timeout if config.timeout is not None else 1200  # Use CLI timeout if provided
+        timeout=get_api_request_timeout(config)
     )
     log.debug("loaded socket_config")
     client = CliClient(socket_config)

socketsecurity 2.2.93__tar.gz → 2.3.1__tar.gz

socketsecurity 2.2.93tar.gz → 2.3.1tar.gz