SARIF file output and reachability filtering

[lelia]

Summary

Adds two new SARIF output flags and improves Slack bot mode debug logging:

• --sarif-file <path> — saves SARIF output to a file for upload to GitHub Code Scanning, SonarQube, VS Code, etc.
• --sarif-reachable-only — filters SARIF output to reachable (blocking) findings only (requires --reach)
• Improved --enable-debug logging in Slack bot mode to surface silent failures when reachability alerts aren't being sent

Changes

• --sarif-file: added config field + CLI flag; implies --enable-sarif so users don't need to pass both
• --sarif-reachable-only: added config field + CLI flag; exits with a clear error if passed without --reach
• output.py: output_console_sarif now writes to the specified filepath in addition to stdout, and pre-filters alerts when --sarif-reachable-only is set
• Testing: added unit tests for SARIF file output, reachability filtering, and --sarif-reachable-only config validation; added Unit Tests CI workflow; extended e2e tests to validate --sarif-file output and assert reachable-only is a subset of unfiltered results
• Slack debugging: surfaces bot token presence, Slack mode, and reachability facts file path/existence; upgraded silent return paths in _send_bot_reachability_alerts to error-level logging

Testing

• Confirmed all new unit tests pass both locally and in CI
• Ran socketcli --sarif-file results.sarif against a representative repo
• Confirmed that a results.sarif file was output with valid syntax

Preview

Representative preview of what results.sarif output looks like:

{
  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Socket Security",
          "informationUri": "https://socket.dev",
          "rules": [
            {
              "id": "lodash==4.17.20 (package.json)",
              "name": "Alert lodash==4.17.20 (package.json)",
              "shortDescription": {
                "text": "Alert lodash==4.17.20 (package.json)"
              },
              "fullDescription": {
                "text": "Prototype Pollution - test"
              },
              "helpUri": "https://socket.dev/npm/package/lodash/alerts/4.17.20",
              "defaultConfiguration": {
                "level": "error"
              }
            }
          ]
        }
      },
      "results": [
        {
          "ruleId": "lodash==4.17.20 (package.json)",
          "message": {
            "text": "<br/><br/>Suggested Action:<br/><br/><a href=\"https://socket.dev/npm/package/lodash/alerts/4.17.20\">https://socket.dev/npm/package/lodash/alerts/4.17.20</a>"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "package.json"
                },
                "region": {
                  "startLine": 1,
                  "snippet": {
                    "text": "package.json not found"
                  }
                }
              }
            }
          ]
        }
      ]
    }
  ]
}

[github-actions]

🚀 Preview package published!

Install with:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.2.76.dev6

Docker image: socketdev/cli:pr-165

[socket-security-staging]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​socketdev@​3.0.31 ⏵ 3.0.32	+1

View full report

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​socketdev@​3.0.31 ⏵ 3.0.32	+1

View full report