feat: Add Socket Security integrations and fix scan failure detection #24
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…system - Replace pip with uv for faster dependency resolution and modern Python packaging - Add pyproject.toml with project configuration and dependencies - Update Dockerfile to use uv sync --frozen for reproducible builds - Implement comprehensive version management system: - Create src/version.py for runtime version imports - Add .hooks/version-check.py pre-commit hook with auto-bump functionality - Support both patch and dev version bumping (.devN) - Sync versions between pyproject.toml and version.py automatically - Include PyPI conflict detection - Update documentation with uv installation and usage instructions - Add version management setup and usage to README - Remove requirements.txt (replaced by pyproject.toml + uv.lock) - Update version to 1.0.18 - Maintain full compatibility with existing Docker workflow and GitHub Actions Dependencies: All previous dependencies preserved in pyproject.toml
- Install Socket NPM CLI globally via npm - Install Socket Python CLI via uv tool install - Both CLIs will be available for security scanning workflows - Version bumped to 1.0.20
Socket Reachability & SCA Integration: - Add Socket reachability scanning with configurable org parameter - Add Socket SCA scanning with configurable files parameter - Create connector classes for Socket and SocketSCA tools - Add environment variable support for Socket API keys Bug Fix - Scan Failure Detection: - Fix critical issue where Socket SCA scan failures weren't causing build failures - Implement proper JSON extraction from mixed log/JSON output using regex pattern - Add file path resolution using TEMP_OUTPUT_DIR environment variable - Add explicit scan failure detection logic that exits with code 1 - Create SocketSCAEvent class for proper event handling in console output Technical Improvements: - Update entrypoint.sh with Socket CLI integration and JSON parsing - Enhance socket_external_tools_runner.py with scan failure detection - Add comprehensive error handling and logging - Update action.yml with new Socket-related input parameters - Add Python version management with .python-version and pyproject.toml - Include test files for validating Socket SCA failure scenarios The fix ensures that when Socket SCA returns scan_failed: true with critical alerts, the system properly exits with error code 1 and displays appropriate error messaging instead of incorrectly reporting 'No issues detected'.
- Resolved conflicts in Dockerfile (kept uv tool install approach) - Resolved version conflicts and auto-bumped to 1.0.23 - Successfully merged JIRA support features
…dardization, and consolidated facts processing 🔧 Core Infrastructure: - Add light-s3-client 0.0.30 dependency for S3-compatible storage - Implement S3 upload/download with change detection for .socket.facts.json - Update Docker container structure with proper working directories - Fix entrypoint.sh duplicate declarations and consolidation logic 📊 Data Format Standardization: - Standardize tool types to format like 'sast-bandit', 'secrets-trufflehog', 'container-trivy' - Implement proper PURL format: pkg:ecosystem/name@version?type=tool-type - Add PURL creation for Socket components that initially lack purl fields - Update version to 1.0.25 across all components 🔄 Socket Facts Consolidation: - Add _process_socket_vulnerabilities method to create alerts from Socket reachability data - Implement comprehensive security tool result consolidation into .socket.facts.json - Add new_alerts field with S3-based change detection to prevent duplicate processing - Support for all security tools: Bandit, Gosec, ESLint, Trufflehog, Trivy, Socket SCA, Socket Reachability 🎯 Plugin Integration Improvements: - Update Jira plugin with enhanced table format including Tool and Source columns - Add _extract_tool_from_purl() and _clean_purl_source() methods to all plugins - Implement send_consolidated_security_alerts() across Jira, Slack, Teams, Webhook plugins - Fix Jira authentication and project access with better error handling 🐛 Bug Fixes: - Fix Socket SCA JSON extraction from timestamped output - Resolve merge conflict in socket_sca connector - Fix Trufflehog file path normalization and line number extraction - Improve error handling and debug output across all components This update establishes a robust foundation for security tool integration with proper data standardization, S3-based state management, and comprehensive plugin support for external integrations.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
- Socket Reachability/SCA components now use ecosystem types (npm, pypi, etc.) - SAST, secrets, and container scanning use generic component type - Group alerts by file using qualifiers for shared context - Move code blocks into alert properties instead of separate fields - Multiple alerts per file consolidated into single components - Preserve Socket vulnerability data with ecosystem-specific typing This aligns the consolidated facts format with the injectable alert artifact schema constraints while maintaining backwards compatibility for Socket tooling that expects ecosystem-typed components.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Socket Reachability & SCA Integration:
Bug Fix - Scan Failure Detection:
Technical Improvements:
The fix ensures that when Socket SCA returns scan_failed: true with critical alerts, the system properly exits with error code 1 and displays appropriate error messaging instead of incorrectly reporting 'No issues detected'.