* Fix has_manifest_files failing to match root-level manifest files

PurePath.match("**/package.json") returns False for root-level files
in Python 3.12+ because ** requires at least one directory component.
The function was unconditionally prepending **/ to all patterns,
causing root-level manifests like package.json and package-lock.json
to never match. This forced every scan into full scan mode instead of
diff scan mode, which meant MR/PR comments were never posted.

Fix by trying the direct pattern match first, then falling back to
the **/ prefixed pattern for subdirectory matching.

Fixes Zendesk #2447

* Bump version to 2.2.77

* Add tests/core to CI trigger paths and test command

* Fixing compatibility drift between CLI <> SDK surfaced by test failures

Signed-off-by: lelia <lelia@socket.dev>

* Fixing core test failures caused by updated stale fixtures, outdated test construction

Signed-off-by: lelia <lelia@socket.dev>

---------

Signed-off-by: lelia <lelia@socket.dev>
Co-authored-by: lelia <lelia@socket.dev>

* Add SARIF scoping/reachability controls, config file support

Signed-off-by: lelia <lelia@socket.dev>

* Add coverage for new SARIF scoping, config file behavior

Signed-off-by: lelia <lelia@socket.dev>

* Add config examples for different use cases

Signed-off-by: lelia <lelia@socket.dev>

* Refactor docs to reduce README complexity, create dedicated CLI and CI/CD guides

Signed-off-by: lelia <lelia@socket.dev>

* Bump version for release

Signed-off-by: lelia <lelia@socket.dev>

* Add shared selector/filter module

Signed-off-by: lelia <lelia@socket.dev>

* Refactor output handling to use shared alert selection

Signed-off-by: lelia <lelia@socket.dev>

* Refactor Slack diff filtering to use shared selection semantics, facts-aware reachable filtering

Signed-off-by: lelia <lelia@socket.dev>

* Add unit tests for shared selection logic

Signed-off-by: lelia <lelia@socket.dev>

* Add unit tests for new Slack behavior

Signed-off-by: lelia <lelia@socket.dev>

* Update output tests for strict-blocking and SARIF

Signed-off-by: lelia <lelia@socket.dev>

* Add JSON config examples for reference

Signed-off-by: lelia <lelia@socket.dev>

* Remove unnecessary backwards compat logic

Signed-off-by: lelia <lelia@socket.dev>

* Docs refactor for better readability, dedicated guides for CLI + CI/CD usage

Signed-off-by: lelia <lelia@socket.dev>

* Bump version for release

Signed-off-by: lelia <lelia@socket.dev>

* Fix missing version check expected in PR preview

Signed-off-by: lelia <lelia@socket.dev>

* Fix PR preview worklfow to use updated version check

Signed-off-by: lelia <lelia@socket.dev>

* Fix e2e regression tests to use correct SARIF flags and remove legacy assertions

Signed-off-by: lelia <lelia@socket.dev>

---------

Signed-off-by: lelia <lelia@socket.dev>

* Add guard to not run on external fork PRs

Signed-off-by: lelia <lelia@socket.dev>

* Update python tests to include installation check

Signed-off-by: lelia <lelia@socket.dev>

* Bump project verison and required Python version

Signed-off-by: lelia <lelia@socket.dev>

* Add more unit test checks

Signed-off-by: lelia <lelia@socket.dev>

* Bump project version and required Python version

Signed-off-by: lelia <lelia@socket.dev>

* Add additional guardrails for PR check behaviors

Signed-off-by: lelia <lelia@socket.dev>

---------

Signed-off-by: lelia <lelia@socket.dev>

- Fix template injection vulnerabilities by using environment variables
  instead of inline expressions in shell scripts (docker-stable, release)
- Pin third-party actions to full SHA commits (docker-stable)
- Add top-level permissions blocks with least-privilege scoping
  (docker-stable, e2e-test, version-check)
- Add persist-credentials: false to all checkout steps
- Add zizmor.yml configuration file
- Fix missing newlines at end of files

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>