Socket Security CLI for CI/CD
Project description
Socket Security CLI
Socket Python CLI for Socket scans, diff reporting, reachability analysis, and SARIF/GitLab exports.
Comprehensive docs are available in docs/ for full flag reference, CI/CD-specific guidance, and contributor setup.
Quick start
1) Install
pip install socketsecurity
2) Authenticate
export SOCKET_SECURITY_API_TOKEN="<token>"
3) Run a basic scan
socketcli --target-path .
Common use cases
This section covers the paved path/common workflows.
For advanced options and exhaustive details, see docs/cli-reference.md.
For CI/CD-specific guidance, see docs/ci-cd.md.
Basic policy scan (no SARIF)
socketcli --target-path .
GitLab dependency-scanning report
socketcli --enable-gitlab-security --gitlab-security-file gl-dependency-scanning-report.json
SARIF use cases
Full-scope reachable SARIF (grouped alerts)
socketcli \
--reach \
--sarif-file results.sarif \
--sarif-scope full \
--sarif-grouping alert \
--sarif-reachability reachable \
--disable-blocking
Diff-scope reachable SARIF (PR/CI gating)
socketcli \
--reach \
--sarif-file results.sarif \
--sarif-scope diff \
--sarif-reachability reachable \
--strict-blocking
Full-scope SARIF (instance-level detail)
socketcli \
--reach \
--sarif-file results.sarif \
--sarif-scope full \
--sarif-grouping instance \
--sarif-reachability all \
--disable-blocking
Choose your mode
| Use case | Recommended mode | Key flags |
|---|---|---|
| Basic policy enforcement in CI | Diff-based policy check | --strict-blocking |
| Reachable-focused SARIF for reporting | Full-scope grouped SARIF | --reach --sarif-scope full --sarif-grouping alert --sarif-reachability reachable --sarif-file <path> |
| Detailed reachability export for investigations | Full-scope instance SARIF | --reach --sarif-scope full --sarif-grouping instance --sarif-reachability all --sarif-file <path> |
| Net-new PR findings only | Diff-scope SARIF | --reach --sarif-scope diff --sarif-reachability reachable --sarif-file <path> |
Dashboard parity note:
- Full-scope SARIF is the closest match for dashboard-style filtering.
- Exact result counts can still differ from the dashboard due to backend/API consolidation differences and grouping semantics.
- See
docs/troubleshooting.md#dashboard-vs-cli-result-counts.
Config files (--config)
Use --config <path> with .toml or .json to avoid long command lines.
Precedence order:
CLI flags > environment variables > config file > built-in defaults
Example:
[socketcli]
repo = "example-repo"
reach = true
sarif_scope = "full"
sarif_grouping = "alert"
sarif_reachability = "reachable"
sarif_file = "reachable.sarif"
Equivalent JSON:
{
"socketcli": {
"repo": "example-repo",
"reach": true,
"sarif_scope": "full",
"sarif_grouping": "alert",
"sarif_reachability": "reachable",
"sarif_file": "reachable.sarif"
}
}
Run:
socketcli --config .socketcli.toml --target-path .
Reference sample configs:
TOML:
examples/config/sarif-dashboard-parity.tomlexamples/config/sarif-instance-detail.tomlexamples/config/sarif-diff-ci-cd.toml
JSON:
examples/config/sarif-dashboard-parity.jsonexamples/config/sarif-instance-detail.jsonexamples/config/sarif-diff-ci-cd.json
CI/CD examples
Prebuilt workflow examples:
Minimal pattern:
- name: Run Socket CLI
run: socketcli --config .socketcli.toml --target-path .
env:
SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_SECURITY_API_TOKEN }}
Common gotchas
Quick verification checks
After generating SARIF files, validate shape/count quickly:
jq '.runs[0].results | length' results.sarif
jq -r '.runs[0].results[]?.properties.reachability' results.sarif | sort -u
For side-by-side comparisons:
jq '.runs[0].results | length' sarif-dashboard-parity-reachable.sarif
jq '.runs[0].results | length' sarif-full-instance-all.sarif
jq '.runs[0].results | length' sarif-diff-reachable.sarif
Documentation reference
- Full CLI reference:
docs/cli-reference.md - CI/CD guide:
docs/ci-cd.md - Troubleshooting guide:
docs/troubleshooting.md - Development guide:
docs/development.md
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file socketsecurity-2.2.81.tar.gz.
File metadata
- Download URL: socketsecurity-2.2.81.tar.gz
- Upload date:
- Size: 804.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6b5dce177b407e3c47412b38fe9aa32a648edb9e459710ffb136c32e507cffec
|
|
| MD5 |
4374020f4d5080b6115ae7c4c92f6e7b
|
|
| BLAKE2b-256 |
4de5d4e589e84c25c4246ae2d0d769bf9ed245e676d6ed4d06d5e100af2687f6
|
Provenance
The following attestation bundles were made for socketsecurity-2.2.81.tar.gz:
Publisher:
release.yml on SocketDev/socket-python-cli
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
socketsecurity-2.2.81.tar.gz -
Subject digest:
6b5dce177b407e3c47412b38fe9aa32a648edb9e459710ffb136c32e507cffec - Sigstore transparency entry: 1289360054
- Sigstore integration time:
-
Permalink:
SocketDev/socket-python-cli@04e41d8fe3557808461911407ae7d5288388f723 -
Branch / Tag:
refs/tags/v2.2.81 - Owner: https://github.com/SocketDev
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@04e41d8fe3557808461911407ae7d5288388f723 -
Trigger Event:
release
-
Statement type:
File details
Details for the file socketsecurity-2.2.81-py3-none-any.whl.
File metadata
- Download URL: socketsecurity-2.2.81-py3-none-any.whl
- Upload date:
- Size: 101.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cbb8fdebdfdf5b2fee853d837349a0f6e517d701c88348bad872d0c8bf287089
|
|
| MD5 |
3017917bf67549b1720e0b530803a54a
|
|
| BLAKE2b-256 |
0d37047ed1ef8089e981f6715ecb0b5425d0d0e7d593f9d98f797e96a97667e2
|
Provenance
The following attestation bundles were made for socketsecurity-2.2.81-py3-none-any.whl:
Publisher:
release.yml on SocketDev/socket-python-cli
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
socketsecurity-2.2.81-py3-none-any.whl -
Subject digest:
cbb8fdebdfdf5b2fee853d837349a0f6e517d701c88348bad872d0c8bf287089 - Sigstore transparency entry: 1289360127
- Sigstore integration time:
-
Permalink:
SocketDev/socket-python-cli@04e41d8fe3557808461911407ae7d5288388f723 -
Branch / Tag:
refs/tags/v2.2.81 - Owner: https://github.com/SocketDev
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@04e41d8fe3557808461911407ae7d5288388f723 -
Trigger Event:
release
-
Statement type:
