Comparing changes

* Add support for SARIF file output Signed-off-by: lelia <lelia@socket.dev> * Ignore SARIF results Signed-off-by: lelia <lelia@socket.dev> * Add test for new SARIF output functionality Signed-off-by: lelia <lelia@socket.dev> * Document new CLI output flag and clarify intended usage Signed-off-by: lelia <lelia@socket.dev> * Bump version to prep for release Signed-off-by: lelia <lelia@socket.dev> * Bump version to account for new release Signed-off-by: lelia <lelia@socket.dev> * Add workflow for running unittests Signed-off-by: lelia <lelia@socket.dev> * Tweak workflow name Signed-off-by: lelia <lelia@socket.dev> * Install dev dependencies for testing Signed-off-by: lelia <lelia@socket.dev> * Update lockfile Signed-off-by: lelia <lelia@socket.dev> * Add configurable option for reachabilty filtering with SARIF Signed-off-by: lelia <lelia@socket.dev> * Implement reachabilty logic for SARIF output Signed-off-by: lelia <lelia@socket.dev> * Add unittests to cover new reachability filtering functionality Signed-off-by: lelia <lelia@socket.dev> * Update README to document new filtering options and required use of --reach flag Signed-off-by: lelia <lelia@socket.dev> * Update e2e tests to include SARIF workflow Signed-off-by: lelia <lelia@socket.dev> * Impove Slack bot mode debug logging to surface failures Signed-off-by: lelia <lelia@socket.dev> * Skip gitlab tests that pass incorrect mock client to constructor Signed-off-by: lelia <lelia@socket.dev> * Update old constructor to use current Mock(spec=CliConfig) pattern, plus other test fixes Signed-off-by: lelia <lelia@socket.dev> --------- Signed-off-by: lelia <lelia@socket.dev>

* Fix has_manifest_files failing to match root-level manifest files PurePath.match("**/package.json") returns False for root-level files in Python 3.12+ because ** requires at least one directory component. The function was unconditionally prepending **/ to all patterns, causing root-level manifests like package.json and package-lock.json to never match. This forced every scan into full scan mode instead of diff scan mode, which meant MR/PR comments were never posted. Fix by trying the direct pattern match first, then falling back to the **/ prefixed pattern for subdirectory matching. Fixes Zendesk #2447 * Bump version to 2.2.77 * Add tests/core to CI trigger paths and test command * Fixing compatibility drift between CLI <> SDK surfaced by test failures Signed-off-by: lelia <lelia@socket.dev> * Fixing core test failures caused by updated stale fixtures, outdated test construction Signed-off-by: lelia <lelia@socket.dev> --------- Signed-off-by: lelia <lelia@socket.dev> Co-authored-by: lelia <lelia@socket.dev>

* Add SARIF scoping/reachability controls, config file support Signed-off-by: lelia <lelia@socket.dev> * Add coverage for new SARIF scoping, config file behavior Signed-off-by: lelia <lelia@socket.dev> * Add config examples for different use cases Signed-off-by: lelia <lelia@socket.dev> * Refactor docs to reduce README complexity, create dedicated CLI and CI/CD guides Signed-off-by: lelia <lelia@socket.dev> * Bump version for release Signed-off-by: lelia <lelia@socket.dev> * Add shared selector/filter module Signed-off-by: lelia <lelia@socket.dev> * Refactor output handling to use shared alert selection Signed-off-by: lelia <lelia@socket.dev> * Refactor Slack diff filtering to use shared selection semantics, facts-aware reachable filtering Signed-off-by: lelia <lelia@socket.dev> * Add unit tests for shared selection logic Signed-off-by: lelia <lelia@socket.dev> * Add unit tests for new Slack behavior Signed-off-by: lelia <lelia@socket.dev> * Update output tests for strict-blocking and SARIF Signed-off-by: lelia <lelia@socket.dev> * Add JSON config examples for reference Signed-off-by: lelia <lelia@socket.dev> * Remove unnecessary backwards compat logic Signed-off-by: lelia <lelia@socket.dev> * Docs refactor for better readability, dedicated guides for CLI + CI/CD usage Signed-off-by: lelia <lelia@socket.dev> * Bump version for release Signed-off-by: lelia <lelia@socket.dev> * Fix missing version check expected in PR preview Signed-off-by: lelia <lelia@socket.dev> * Fix PR preview worklfow to use updated version check Signed-off-by: lelia <lelia@socket.dev> * Fix e2e regression tests to use correct SARIF flags and remove legacy assertions Signed-off-by: lelia <lelia@socket.dev> --------- Signed-off-by: lelia <lelia@socket.dev>

* Add guard to not run on external fork PRs Signed-off-by: lelia <lelia@socket.dev> * Update python tests to include installation check Signed-off-by: lelia <lelia@socket.dev> * Bump project verison and required Python version Signed-off-by: lelia <lelia@socket.dev> * Add more unit test checks Signed-off-by: lelia <lelia@socket.dev> * Bump project version and required Python version Signed-off-by: lelia <lelia@socket.dev> * Add additional guardrails for PR check behaviors Signed-off-by: lelia <lelia@socket.dev> --------- Signed-off-by: lelia <lelia@socket.dev>

- Fix template injection vulnerabilities by using environment variables instead of inline expressions in shell scripts (docker-stable, release) - Pin third-party actions to full SHA commits (docker-stable) - Add top-level permissions blocks with least-privilege scoping (docker-stable, e2e-test, version-check) - Add persist-credentials: false to all checkout steps - Add zizmor.yml configuration file - Fix missing newlines at end of files Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comparing changes

Open a pull request

Commits on Mar 4, 2026

Commits on Mar 6, 2026

Commits on Mar 12, 2026

Commits on Mar 23, 2026

Commits on Mar 25, 2026

This comparison is taking too long to generate.

Uh oh!