updated json format for gitlab api call

Jonathan Mucha · Jonathan Mucha · commit 24b8362c7d71 · 2026-02-05T15:11:22.000-08:00
diff --git a/instructions/gitlab-commit-status/uat.md b/instructions/gitlab-commit-status/uat.md
@@ -0,0 +1,46 @@
+# UAT: GitLab Commit Status Integration
+
+## Feature
+`--enable-commit-status` posts a commit status (`success`/`failed`) to GitLab after scan completes. Repo admins can then require `socket-security` as a status check on protected branches.
+
+## Prerequisites
+- GitLab project with CI/CD configured
+- `GITLAB_TOKEN` with `api` scope (or `CI_JOB_TOKEN` with sufficient permissions)
+- Merge request pipeline (so `CI_MERGE_REQUEST_PROJECT_ID` is set)
+
+## Test Cases
+
+### 1. Pass scenario (no blocking alerts)
+1. Create MR with no dependency changes (or only safe ones)
+2. Run: `socketcli --scm gitlab --enable-commit-status`
+3. **Expected**: Commit status `socket-security` = `success`, description = "No blocking issues"
+4. Verify in GitLab: **Repository > Commits > (sha) > Pipelines** or **MR > Pipeline > External** tab
+
+### 2. Fail scenario (blocking alerts)
+1. Create MR adding a package with known blocking alerts
+2. Run: `socketcli --scm gitlab --enable-commit-status`
+3. **Expected**: Commit status = `failed`, description = "N blocking alert(s) found"
+
+### 3. Flag omitted (default off)
+1. Run: `socketcli --scm gitlab` (no `--enable-commit-status`)
+2. **Expected**: No commit status posted
+
+### 4. Non-MR pipeline (push event without MR)
+1. Trigger pipeline on a push (no MR context)
+2. Run: `socketcli --scm gitlab --enable-commit-status`
+3. **Expected**: Commit status skipped (no `mr_project_id`), no error
+
+### 5. API failure is non-fatal
+1. Use an invalid/revoked `GITLAB_TOKEN`
+2. Run: `socketcli --scm gitlab --enable-commit-status`
+3. **Expected**: Error logged ("Failed to set commit status: ..."), scan still completes with correct exit code
+
+### 6. Non-GitLab SCM
+1. Run: `socketcli --scm github --enable-commit-status`
+2. **Expected**: Flag is accepted but commit status is not posted (GitHub not yet supported)
+
+## Configuring Protected Branch Requirement
+1. Go to **Settings > Repository > Protected branches**
+2. Edit the target branch
+3. Under **Status checks**, add `socket-security` as a required external status check
+4. MRs targeting that branch will now require Socket's `success` status to merge
diff --git a/socketsecurity/core/scm/gitlab.py b/socketsecurity/core/scm/gitlab.py
@@ -261,11 +261,15 @@ def add_socket_comments(
                 self.post_comment(security_comment)
 
     def set_commit_status(self, state: str, description: str, target_url: str = '') -> None:
-        """Post a commit status to GitLab. state should be 'success' or 'failed'."""
+        """Post a commit status to GitLab. state should be 'success' or 'failed'.
+
+        Uses requests.post with json= directly because CliClient.request sends
+        data= (form-encoded) which GitLab's commit status endpoint rejects.
+        """
         if not self.config.mr_project_id:
             log.debug("No mr_project_id, skipping commit status")
             return
-        path = f"projects/{self.config.mr_project_id}/statuses/{self.config.commit_sha}"
+        url = f"{self.config.api_url}/projects/{self.config.mr_project_id}/statuses/{self.config.commit_sha}"
         payload = {
             "state": state,
             "name": "socket-security",
@@ -274,13 +278,12 @@ def set_commit_status(self, state: str, description: str, target_url: str = '')
         if target_url:
             payload["target_url"] = target_url
         try:
-            self._request_with_fallback(
-                path=path,
-                payload=payload,
-                method="POST",
-                headers=self.config.headers,
-                base_url=self.config.api_url
-            )
+            resp = requests.post(url, json=payload, headers=self.config.headers)
+            if resp.status_code == 401:
+                fallback = self._get_fallback_headers(self.config.headers)
+                if fallback:
+                    resp = requests.post(url, json=payload, headers=fallback)
+            resp.raise_for_status()
             log.info(f"Commit status set to '{state}' on {self.config.commit_sha[:8]}")
         except Exception as e:
             log.error(f"Failed to set commit status: {e}")
diff --git a/tests/unit/test_gitlab_commit_status.py b/tests/unit/test_gitlab_commit_status.py
@@ -31,70 +31,84 @@ def _make_gitlab_config(**overrides):
 class TestSetCommitStatus:
     """Test Gitlab.set_commit_status()"""
 
-    def test_calls_correct_api_path(self):
+    @patch("socketsecurity.core.scm.gitlab.requests.post")
+    def test_calls_correct_url_and_json_payload(self, mock_post):
+        mock_post.return_value = MagicMock(status_code=200)
         config = _make_gitlab_config()
-        client = MagicMock()
-        gl = Gitlab(client=client, config=config)
-        gl._request_with_fallback = MagicMock()
+        gl = Gitlab(client=MagicMock(), config=config)
 
         gl.set_commit_status("success", "No blocking issues", "https://app.socket.dev/report/123")
 
-        gl._request_with_fallback.assert_called_once_with(
-            path="projects/99/statuses/abc123def456",
-            payload={
+        mock_post.assert_called_once_with(
+            "https://gitlab.example.com/api/v4/projects/99/statuses/abc123def456",
+            json={
                 "state": "success",
                 "name": "socket-security",
                 "description": "No blocking issues",
                 "target_url": "https://app.socket.dev/report/123",
             },
-            method="POST",
             headers=config.headers,
-            base_url=config.api_url,
         )
 
-    def test_failed_state_payload(self):
+    @patch("socketsecurity.core.scm.gitlab.requests.post")
+    def test_failed_state_payload(self, mock_post):
+        mock_post.return_value = MagicMock(status_code=200)
         config = _make_gitlab_config()
-        client = MagicMock()
-        gl = Gitlab(client=client, config=config)
-        gl._request_with_fallback = MagicMock()
+        gl = Gitlab(client=MagicMock(), config=config)
 
         gl.set_commit_status("failed", "3 blocking alert(s) found")
 
-        args = gl._request_with_fallback.call_args
-        assert args.kwargs["payload"]["state"] == "failed"
-        assert args.kwargs["payload"]["description"] == "3 blocking alert(s) found"
-        assert "target_url" not in args.kwargs["payload"]
+        payload = mock_post.call_args.kwargs["json"]
+        assert payload["state"] == "failed"
+        assert payload["description"] == "3 blocking alert(s) found"
+        assert "target_url" not in payload
 
-    def test_skipped_when_no_mr_project_id(self):
+    @patch("socketsecurity.core.scm.gitlab.requests.post")
+    def test_skipped_when_no_mr_project_id(self, mock_post):
         config = _make_gitlab_config(mr_project_id=None)
-        client = MagicMock()
-        gl = Gitlab(client=client, config=config)
-        gl._request_with_fallback = MagicMock()
+        gl = Gitlab(client=MagicMock(), config=config)
 
         gl.set_commit_status("success", "No blocking issues")
 
-        gl._request_with_fallback.assert_not_called()
+        mock_post.assert_not_called()
 
-    def test_graceful_error_handling(self):
+    @patch("socketsecurity.core.scm.gitlab.requests.post")
+    def test_graceful_error_handling(self, mock_post):
+        mock_post.side_effect = Exception("connection error")
         config = _make_gitlab_config()
-        client = MagicMock()
-        gl = Gitlab(client=client, config=config)
-        gl._request_with_fallback = MagicMock(side_effect=Exception("API error"))
+        gl = Gitlab(client=MagicMock(), config=config)
 
         # Should not raise
         gl.set_commit_status("success", "No blocking issues")
 
-    def test_no_target_url_omitted_from_payload(self):
+    @patch("socketsecurity.core.scm.gitlab.requests.post")
+    def test_no_target_url_omitted_from_payload(self, mock_post):
+        mock_post.return_value = MagicMock(status_code=200)
         config = _make_gitlab_config()
-        client = MagicMock()
-        gl = Gitlab(client=client, config=config)
-        gl._request_with_fallback = MagicMock()
+        gl = Gitlab(client=MagicMock(), config=config)
 
         gl.set_commit_status("success", "No blocking issues", target_url="")
 
-        payload = gl._request_with_fallback.call_args.kwargs["payload"]
+        payload = mock_post.call_args.kwargs["json"]
         assert "target_url" not in payload
 
+    @patch("socketsecurity.core.scm.gitlab.requests.post")
+    def test_auth_fallback_on_401(self, mock_post):
+        resp_401 = MagicMock(status_code=401)
+        resp_401.raise_for_status.side_effect = Exception("401")
+        resp_200 = MagicMock(status_code=200)
+        mock_post.side_effect = [resp_401, resp_200]
+
+        config = _make_gitlab_config()
+        gl = Gitlab(client=MagicMock(), config=config)
+
+        gl.set_commit_status("success", "No blocking issues")
+
+        assert mock_post.call_count == 2
+        # Second call should use fallback headers (PRIVATE-TOKEN)
+        fallback_headers = mock_post.call_args_list[1].kwargs["headers"]
+        assert "PRIVATE-TOKEN" in fallback_headers
+
 
 class TestEnableCommitStatusCliArg:
     """Test --enable-commit-status CLI argument parsing"""
