added ability to prevent merges based on failed check run

Jonathan Mucha · Jonathan Mucha · commit 878b4b13fde1 · 2026-02-05T14:37:11.000-08:00
diff --git a/socketsecurity/config.py b/socketsecurity/config.py
@@ -86,6 +86,7 @@ class CliConfig:
     only_facts_file: bool = False
     reach_use_only_pregenerated_sboms: bool = False
     max_purl_batch_size: int = 5000
+    enable_commit_status: bool = False
     
     @classmethod
     def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig':
@@ -164,6 +165,7 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig':
             'only_facts_file': args.only_facts_file,
             'reach_use_only_pregenerated_sboms': args.reach_use_only_pregenerated_sboms,
             'max_purl_batch_size': args.max_purl_batch_size,
+            'enable_commit_status': args.enable_commit_status,
             'version': __version__
         }
         try:
@@ -512,6 +514,18 @@ def create_argument_parser() -> argparse.ArgumentParser:
         action="store_true",
         help=argparse.SUPPRESS
     )
+    output_group.add_argument(
+        "--enable-commit-status",
+        dest="enable_commit_status",
+        action="store_true",
+        help="Report scan result as a commit status on GitLab (requires GitLab SCM)"
+    )
+    output_group.add_argument(
+        "--enable_commit_status",
+        dest="enable_commit_status",
+        action="store_true",
+        help=argparse.SUPPRESS
+    )
 
     # Plugin Configuration
     plugin_group = parser.add_argument_group('Plugin Configuration')
diff --git a/socketsecurity/core/scm/gitlab.py b/socketsecurity/core/scm/gitlab.py
@@ -260,6 +260,31 @@ def add_socket_comments(
                 log.debug("No Previous version of Security Issue comment, posting")
                 self.post_comment(security_comment)
 
+    def set_commit_status(self, state: str, description: str, target_url: str = '') -> None:
+        """Post a commit status to GitLab. state should be 'success' or 'failed'."""
+        if not self.config.mr_project_id:
+            log.debug("No mr_project_id, skipping commit status")
+            return
+        path = f"projects/{self.config.mr_project_id}/statuses/{self.config.commit_sha}"
+        payload = {
+            "state": state,
+            "name": "socket-security",
+            "description": description,
+        }
+        if target_url:
+            payload["target_url"] = target_url
+        try:
+            self._request_with_fallback(
+                path=path,
+                payload=payload,
+                method="POST",
+                headers=self.config.headers,
+                base_url=self.config.api_url
+            )
+            log.info(f"Commit status set to '{state}' on {self.config.commit_sha[:8]}")
+        except Exception as e:
+            log.error(f"Failed to set commit status: {e}")
+
     def remove_comment_alerts(self, comments: dict):
         security_alert = comments.get("security")
         if security_alert is not None:
diff --git a/socketsecurity/socketcli.py b/socketsecurity/socketcli.py
@@ -641,6 +641,20 @@ def main_code():
             log.debug("Temporarily enabling disable_blocking due to no supported manifest files")
             config.disable_blocking = True
 
+    # Post commit status to GitLab if enabled
+    if config.enable_commit_status and scm is not None:
+        from socketsecurity.core.scm.gitlab import Gitlab
+        if isinstance(scm, Gitlab) and scm.config.mr_project_id:
+            passed = output_handler.report_pass(diff)
+            state = "success" if passed else "failed"
+            blocking_count = sum(1 for a in diff.new_alerts if a.error)
+            if passed:
+                description = "No blocking issues"
+            else:
+                description = f"{blocking_count} blocking alert(s) found"
+            target_url = diff.report_url or diff.diff_url or ""
+            scm.set_commit_status(state, description, target_url)
+
     sys.exit(output_handler.return_exit_code(diff))
 
 
diff --git a/tests/unit/test_gitlab_commit_status.py b/tests/unit/test_gitlab_commit_status.py
@@ -0,0 +1,118 @@
+"""Tests for GitLab commit status integration"""
+import os
+import pytest
+from unittest.mock import patch, MagicMock, call
+
+from socketsecurity.core.scm.gitlab import Gitlab, GitlabConfig
+
+
+def _make_gitlab_config(**overrides):
+    defaults = dict(
+        commit_sha="abc123def456",
+        api_url="https://gitlab.example.com/api/v4",
+        project_dir="/builds/test",
+        mr_source_branch="feature",
+        mr_iid="42",
+        mr_project_id="99",
+        commit_message="test commit",
+        default_branch="main",
+        project_name="test-project",
+        pipeline_source="merge_request_event",
+        commit_author="dev@example.com",
+        token="glpat-test",
+        repository="test-project",
+        is_default_branch=False,
+        headers={"Authorization": "Bearer glpat-test", "accept": "application/json"},
+    )
+    defaults.update(overrides)
+    return GitlabConfig(**defaults)
+
+
+class TestSetCommitStatus:
+    """Test Gitlab.set_commit_status()"""
+
+    def test_calls_correct_api_path(self):
+        config = _make_gitlab_config()
+        client = MagicMock()
+        gl = Gitlab(client=client, config=config)
+        gl._request_with_fallback = MagicMock()
+
+        gl.set_commit_status("success", "No blocking issues", "https://app.socket.dev/report/123")
+
+        gl._request_with_fallback.assert_called_once_with(
+            path="projects/99/statuses/abc123def456",
+            payload={
+                "state": "success",
+                "name": "socket-security",
+                "description": "No blocking issues",
+                "target_url": "https://app.socket.dev/report/123",
+            },
+            method="POST",
+            headers=config.headers,
+            base_url=config.api_url,
+        )
+
+    def test_failed_state_payload(self):
+        config = _make_gitlab_config()
+        client = MagicMock()
+        gl = Gitlab(client=client, config=config)
+        gl._request_with_fallback = MagicMock()
+
+        gl.set_commit_status("failed", "3 blocking alert(s) found")
+
+        args = gl._request_with_fallback.call_args
+        assert args.kwargs["payload"]["state"] == "failed"
+        assert args.kwargs["payload"]["description"] == "3 blocking alert(s) found"
+        assert "target_url" not in args.kwargs["payload"]
+
+    def test_skipped_when_no_mr_project_id(self):
+        config = _make_gitlab_config(mr_project_id=None)
+        client = MagicMock()
+        gl = Gitlab(client=client, config=config)
+        gl._request_with_fallback = MagicMock()
+
+        gl.set_commit_status("success", "No blocking issues")
+
+        gl._request_with_fallback.assert_not_called()
+
+    def test_graceful_error_handling(self):
+        config = _make_gitlab_config()
+        client = MagicMock()
+        gl = Gitlab(client=client, config=config)
+        gl._request_with_fallback = MagicMock(side_effect=Exception("API error"))
+
+        # Should not raise
+        gl.set_commit_status("success", "No blocking issues")
+
+    def test_no_target_url_omitted_from_payload(self):
+        config = _make_gitlab_config()
+        client = MagicMock()
+        gl = Gitlab(client=client, config=config)
+        gl._request_with_fallback = MagicMock()
+
+        gl.set_commit_status("success", "No blocking issues", target_url="")
+
+        payload = gl._request_with_fallback.call_args.kwargs["payload"]
+        assert "target_url" not in payload
+
+
+class TestEnableCommitStatusCliArg:
+    """Test --enable-commit-status CLI argument parsing"""
+
+    def test_default_is_false(self):
+        from socketsecurity.config import create_argument_parser
+        parser = create_argument_parser()
+        args = parser.parse_args([])
+        assert args.enable_commit_status is False
+
+    def test_flag_sets_true(self):
+        from socketsecurity.config import create_argument_parser
+        parser = create_argument_parser()
+        args = parser.parse_args(["--enable-commit-status"])
+        assert args.enable_commit_status is True
+
+    def test_underscore_alias(self):
+        from socketsecurity.config import create_argument_parser
+        parser = create_argument_parser()
+        args = parser.parse_args(["--enable_commit_status"])
+        assert args.enable_commit_status is True
