* feat: add PyPy installation for Alpine on x86_64

Install Alpine-compatible PyPy3.11 build on amd64 platforms to enable
faster Python reachability analysis.

* Fix versions & changelog

* Bump version to 2.2.65

---------

Co-authored-by: Douglas Coburn <douglas@dactbc.com>

* feat: add --strict-blocking flag to fail on any existing security violations

Introduces a new --strict-blocking flag that causes builds to fail on ANY
security policy violations with blocking severity, not just new ones. This
enables enforcement of a zero-tolerance policy on security issues.

Key features:
- Works in diff mode only (logs warning in API mode)
- Only fails on error-level alerts (not warnings)
- --disable-blocking takes precedence when both flags are set
- Enhanced console output distinguishes NEW vs EXISTING violations
- Comprehensive test coverage for all scenarios

Implementation details:
- Added unchanged_alerts and removed_alerts fields to Diff class
- Created get_unchanged_alerts() method to extract alerts from unchanged packages
- Updated report_pass() to check both new and unchanged alerts when enabled
- Added validation warnings for conflicting flags and API mode limitations

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* chore: update uv.lock with version 2.2.63

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* docs: add --strict-blocking flag documentation to README

Added comprehensive documentation for the new --strict-blocking feature:

- Added flag to Advanced Configuration parameters table
- Created dedicated "Strict Blocking Mode" section with:
  - Behavior comparison (standard vs strict)
  - Usage examples for different CI/CD platforms
  - Output examples showing NEW vs EXISTING violations
  - Common use cases and implementation strategies
  - Important notes about limitations and flag priority
  - Flag combination examples
  - Migration strategy guidance
  - Links to GitLab CI example files

The documentation clearly explains:
- Zero-tolerance security policy enforcement
- Diff mode requirement
- Error-level filtering (not warnings)
- --disable-blocking precedence
- First scan behavior

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* chore: bump version to 2.3.1 for --strict-blocking feature

Bumped version from 2.2.63 to 2.3.1 following semantic versioning
(minor version bump for new feature).

This version number avoids conflict with the mucha-dev-gitlab-security-output
branch which uses 2.3.0 for the GitLab Security Dashboard feature.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* version sync

* Bumping version

---------

Co-authored-by: Jonathan Mucha <jonathan@mucha.local>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-authored-by: Douglas Coburn <douglas@dactbc.com>

* feat: add GitLab Security Dashboard integration with Dependency Scanning report output

Adds support for generating GitLab-compatible Dependency Scanning reports that integrate with GitLab's Security Dashboard. This feature enables Socket security findings to be displayed natively in GitLab merge requests and security dashboards.

Key Features:
- New --enable-gitlab-security flag to generate GitLab reports
- New --gitlab-security-file flag for custom output paths (default: gl-dependency-scanning-report.json)
- Generates GitLab Dependency Scanning schema v15.0.0 compliant reports
- Supports multiple simultaneous output formats (JSON, SARIF, GitLab)
- Includes actionable security alerts (error/warn level) in vulnerability reports
- Maps Socket severity levels to GitLab severity (Critical, High, Medium, Low)
- Extracts CVE identifiers and dependency chain information
- Generates deterministic UUIDs for vulnerability tracking

Implementation:
- Added GitLab report generator in messages.py with helper functions for severity mapping, identifier extraction, and location parsing
- Refactored OutputHandler to support multiple simultaneous output formats
- Added comprehensive unit tests (test_gitlab_format.py) and integration tests
- Updated documentation with usage examples, CI/CD integration guide, and alert filtering details

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* capturing all recent changes

* chore: bump version to 2.3.0 for GitLab Security Dashboard feature

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* bumping version

* Removing unneeded files

---------

Co-authored-by: Jonathan Mucha <jonathan@mucha.local>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-authored-by: Douglas Coburn <douglas@dactbc.com>

- Add --reach-enable-analysis-splitting flag (splitting now disabled by default)
- Add --reach-detailed-analysis-log-file flag
- Add --reach-lazy-mode flag
- Keep --reach-disable-analysis-splitting as hidden no-op for backwards compatibility

feat: add new reachability flags and change analysis splitting default

Set the scan type to socket_tier1 when using the reachability flag

Added strace to the base packages in the Docker image for debugging purposes.

Add strace to Docker image

e2e tests for full scans + full scans with reachability