Complete reference for all CLI options and environment variables supported by Socket Basics.
- Core Options
- Language Scanning
- Secret Scanning
- Container Scanning
- Socket Integration
- Notification Options
- Environment Variables
- Configuration File
Path to JSON configuration file. JSON config is merged with environment variables (environment takes precedence).
Example:
socket-basics --config /path/to/config.jsonOutput file name for scan results.
Default: .socket.facts.json
Example:
socket-basics --output scan-results.jsonWorkspace directory to scan.
Default: Current directory
Example:
socket-basics --workspace /path/to/projectRepository name (use when workspace is not a git repo).
Example:
socket-basics --repo myorg/myprojectBranch name (use when workspace is not a git repo).
Example:
socket-basics --branch mainExplicitly mark this as the default branch (sets make_default_branch=true and set_as_pending_head=true).
Example:
socket-basics --default-branchCommit message for full scan submission.
Example:
socket-basics --commit-message "feat: add new feature"Pull request number for full scan submission.
Example:
socket-basics --pull-request 123Comma-separated list of committers for full scan submission.
Example:
socket-basics --committers "user1@example.com,user2@example.com"Explicit comma-separated list of files to scan. Scopes all scanners —
SAST/OpenGrep, secrets, and container scanning — to just these files instead of
the whole workspace. Used when --changed-files is not set (--changed-files
takes precedence when both are provided). Paths that do not exist are skipped;
if none exist, the scanners are skipped rather than scanning the whole repo.
Example:
socket-basics --scan-files "src/app.py,src/utils.js"Diff-only mode: scope all scanners (SAST/OpenGrep, secrets, containers) to changed files only, the way Socket SCA Pull Request alerts behave. Accepts:
- a comma-separated file list (e.g.
src/app.py,src/utils.js) - a commit hash — files changed in that commit
auto— the PR base-ref diff when running in a PR CI context (GITHUB_BASE_REFis set), otherwise staged (--cached) changespr— diff against the PR base branch (GITHUB_BASE_REF)current-commit— files in theHEADcommit
Deletions are excluded from PR/auto/pr diffs so removed paths never become
scan targets. When the diff resolves to no existing files (e.g. a delete-only
PR), the scanners are skipped rather than falling back to scanning the whole
repository. For PR/auto/pr modes, check out with full history (e.g.
actions/checkout with fetch-depth: 0) so the base branch is available.
Example:
socket-basics --changed-files autoEnable consolidated console tabular output (displays results in formatted tables).
Example:
socket-basics --console-tabular-enabledEnable consolidated console JSON output (displays results as JSON).
Example:
socket-basics --console-json-enabledEnable verbose logging for debugging.
Example:
socket-basics --verboseEnable uploading the output file to S3 using SOCKET_S3_* environment variables.
Example:
socket-basics --enable-s3-uploadUse these flags to enable SAST (Static Application Security Testing) scanning for specific languages:
--python- Enable Python SAST scanning--javascript- Enable JavaScript/TypeScript SAST scanning--goor--golang- Enable Go SAST scanning--java- Enable Java SAST scanning--php- Enable PHP SAST scanning--ruby- Enable Ruby SAST scanning--csharpor--dotnet- Enable C#/.NET SAST scanning--c- Enable C SAST scanning--cpp- Enable C++ SAST scanning--kotlin- Enable Kotlin SAST scanning--scala- Enable Scala SAST scanning--swift- Enable Swift SAST scanning--rust- Enable Rust SAST scanning--elixir- Enable Elixir SAST scanning--erlang- Enable Erlang SAST scanning
Example:
socket-basics --python --javascript --goEnable SAST for all supported languages.
Example:
socket-basics --all-languagesRun all bundled SAST rules regardless of language filters.
Example:
socket-basics --all-rulesUse custom SAST rules instead of bundled rules (falls back to bundled rules for languages without custom rules).
Environment Variable: INPUT_USE_CUSTOM_SAST_RULES
Default: false
Example:
socket-basics --python --use-custom-sast-rulesWhen this is enabled, custom rules are loaded from YAML files under
--custom-sast-rule-path. Each rule must include a languages list so Socket
Basics can map it to the correct OpenGrep language rule file.
Relative path to custom SAST rules directory (relative to workspace if set, otherwise cwd).
Environment Variable: INPUT_CUSTOM_SAST_RULE_PATH
Default: custom_rules
Example:
socket-basics --python --use-custom-sast-rules --custom-sast-rule-path "my_custom_rules"Custom rule file notes:
.ymland.yamlfiles are discovered recursively.- Files ending in
.test.ymlor.test.yamlare ignored. - Rules without
languagesare skipped.
For each language, you can enable or disable specific rules:
Pattern: --<language>-enabled-rules or --<language>-disabled-rules
Examples:
# Enable specific Python rules
socket-basics --python --python-enabled-rules "sql-injection,xss-detection"
# Disable specific JavaScript rules
socket-basics --javascript --javascript-disabled-rules "console-log,debugger-statement"
# Enable specific Go rules
socket-basics --go --go-enabled-rules "error-handling,sql-injection"Available for:
--python-enabled-rules/--python-disabled-rules--javascript-enabled-rules/--javascript-disabled-rules--go-enabled-rules/--go-disabled-rules--java-enabled-rules/--java-disabled-rules--php-enabled-rules/--php-disabled-rules--ruby-enabled-rules/--ruby-disabled-rules--csharp-enabled-rules/--csharp-disabled-rules--dotnet-enabled-rules/--dotnet-disabled-rules--c-enabled-rules/--c-disabled-rules--cpp-enabled-rules/--cpp-disabled-rules--kotlin-enabled-rules/--kotlin-disabled-rules--scala-enabled-rules/--scala-disabled-rules--swift-enabled-rules/--swift-disabled-rules--rust-enabled-rules/--rust-disabled-rules--elixir-enabled-rules/--elixir-disabled-rules
Comma-separated list of SAST ignore overrides in rule_id or rule_id:path format.
Environment Variable: INPUT_SAST_IGNORE_OVERRIDES
Examples:
# Ignore a rule everywhere in the repo
socket-basics --javascript --sast-ignore-overrides "js-sql-injection"
# Ignore a rule only for one exact repo-relative file
socket-basics --javascript --sast-ignore-overrides "js-sql-injection:index.js"
# Mix rule-only and rule+path overrides in one comma-separated list
socket-basics --javascript --sast-ignore-overrides "js-express-async-no-error-handler,js-sql-injection:index.js,js-missing-helmet"Notes:
- Paths must be exact repo-relative paths.
- Paths are normalized to forward-slash form, so Windows-style input such as
src\\unsafe\\demo.jsis accepted. - Globs and directory-prefix matching are not supported in this first version.
- A
rule_id:pathentry uses exactrule_id AND pathmatching. A bad path does not degrade into a rule-only ignore. - If the configured path does not exist under the current workspace, Socket Basics logs a warning to help catch typos or copied paths from another repo.
- If the same rule is also disabled via
<language>-disabled-rulesor dashboard policy, that broader ignore still applies across the repo. - Ignored alerts in
.socket.facts.jsonincludeactionReasonso you can distinguishsast_ignore_overridefromdisabled_rule.
Notification method for OpenGrep SAST results (e.g., console, slack).
Example:
socket-basics --python --opengrep-notify consoleEnable secret scanning using TruffleHog.
Example:
socket-basics --secretsDisable all secret scanning features.
Example:
socket-basics --disable-secretsComma-separated list of directories to exclude from secret scanning.
Example:
socket-basics --secrets --exclude-dir "node_modules,vendor,dist,.git"Notification method for TruffleHog secret scanning results.
Example:
socket-basics --secrets --trufflehog-notify slackShow unverified secrets in TruffleHog results (by default only verified secrets are shown).
Example:
socket-basics --secrets --show-unverifiedNote
These parameters remain part of the Socket Basics interface for container scanning. In the current pre-built GitHub Action and Docker image paths, Socket Basics currently ships without Trivy while we evaluate the safest way to bundle it with Basics again. The parameters still apply for the native installation path as a temporary workaround, and for future container scanner support in the pre-built paths. Review the upstream install path and artifacts carefully before adopting that workaround in production CI. See Trivy (Container Scanning) for the current version guidance and installation options.
Comma-separated list of container images to scan (auto-enables image scanning).
Example:
socket-basics --images "nginx:1.27.4,redis:7.4,postgres:15.8"Comma-separated list of Dockerfiles to scan (auto-enables Dockerfile scanning).
Example:
socket-basics --dockerfiles "Dockerfile,docker/Dockerfile.prod"Notification method for Trivy container scanning results.
Example:
socket-basics --images "nginx:1.27.4" --trivy-notify consoleComma-separated list of Trivy rules to disable.
Example:
socket-basics --images "nginx:1.27.4" --trivy-disabled-rules "CVE-2023-1234,CVE-2023-5678"Disable Trivy image scanning.
Example:
socket-basics --trivy-image-scanning-disabledEnable Trivy vulnerability scanning for all supported language ecosystems.
Example:
socket-basics --trivy-vuln-enabledEnable Socket Tier 1 reachability analysis for dependency scanning.
Example:
socket-basics --socket-tier1Additional CLI params for 'socket scan reach' (comma or space separated).
Example:
socket-basics --socket-tier1 --socket-additional-params "--view=full,--all"CLI Option: --slack-webhook-url SLACK_WEBHOOK_URL
Environment Variables: SLACK_WEBHOOK_URL, INPUT_SLACK_WEBHOOK_URL
Example:
socket-basics --slack-webhook-url "https://hooks.slack.com/services/T00/B00/XXXX"CLI Option: --webhook-url WEBHOOK_URL
Environment Variable: WEBHOOK_URL
Example:
socket-basics --webhook-url "https://api.example.com/webhook"CLI Options:
--ms-sentinel-workspace-id MS_SENTINEL_WORKSPACE_ID--ms-sentinel-key MS_SENTINEL_KEY
Environment Variables:
MS_SENTINEL_WORKSPACE_ID,INPUT_MS_SENTINEL_WORKSPACE_IDMS_SENTINEL_SHARED_KEY,INPUT_MS_SENTINEL_SHARED_KEY
Example:
socket-basics --ms-sentinel-workspace-id "your-id" --ms-sentinel-key "your-key"CLI Option: --sumologic-endpoint SUMOLOGIC_ENDPOINT
Environment Variables: SUMOLOGIC_ENDPOINT, INPUT_SUMOLOGIC_ENDPOINT, SUMO_LOGIC_HTTP_SOURCE_URL
Example:
socket-basics --sumologic-endpoint "https://endpoint.sumologic.com/..."CLI Options:
--jira-url JIRA_URL--jira-project JIRA_PROJECT--jira-email JIRA_EMAIL--jira-api-token JIRA_API_TOKEN
Environment Variables:
JIRA_URL,INPUT_JIRA_URLJIRA_PROJECT,INPUT_JIRA_PROJECTJIRA_EMAIL,INPUT_JIRA_EMAILJIRA_API_TOKEN,INPUT_JIRA_API_TOKEN
Example:
socket-basics \
--jira-url "https://your-org.atlassian.net" \
--jira-project "SEC" \
--jira-email "you@example.com" \
--jira-api-token "your-token"Local Verification (No Jira API Calls) Use the helper script to confirm dashboard/env Jira settings are wired into the notifier:
./venv/bin/python scripts/verify_jira_dashboard_config.pyNotes:
- The script only loads config and inspects notifier parameters; it does not contact Jira.
- It requires
SOCKET_SECURITY_API_KEY(and usuallySOCKET_ORG) to fetch dashboard config. - You can use
INPUT_JIRA_*env vars to simulate dashboard values.
CLI Options:
--github-token GITHUB_TOKEN--github-api-url GITHUB_API_URL
Environment Variables:
GITHUB_TOKEN,INPUT_GITHUB_TOKENGITHUB_API_URL(optional, defaults to public GitHub API)
Example:
socket-basics --github-token "ghp_your_token"CLI Option: --msteams-webhook-url MSTEAMS_WEBHOOK_URL
Environment Variables: MSTEAMS_WEBHOOK_URL, INPUT_MSTEAMS_WEBHOOK_URL
Example:
socket-basics --msteams-webhook-url "https://outlook.office.com/webhook/..."| Variable | Aliases | Description |
|---|---|---|
SOCKET_SECURITY_API_KEY |
SOCKET_API_KEY, SOCKET_SECURITY_API_TOKEN, INPUT_SOCKET_SECURITY_API_KEY, INPUT_SOCKET_API_KEY |
Socket Security API key |
SOCKET_ORG |
SOCKET_ORG_SLUG, INPUT_SOCKET_ORG |
Socket organization slug |
| Variable | Aliases | Description |
|---|---|---|
GITHUB_TOKEN |
INPUT_GITHUB_TOKEN |
GitHub token for API access and PR comments |
GITHUB_REPOSITORY |
INPUT_GITHUB_REPOSITORY |
Repository name (owner/repo) |
GITHUB_PR_NUMBER |
INPUT_PR_NUMBER |
Pull request number |
GITHUB_WORKSPACE |
- | Workspace directory (auto-set in GitHub Actions) |
GITHUB_ACTOR |
- | GitHub username who triggered the action |
GITHUB_HEAD_REF |
- | Source branch for pull request |
GITHUB_SHA |
- | Commit SHA |
GITHUB_REF_NAME |
- | Branch or tag name |
GITHUB_EVENT_PATH |
- | Path to event payload file |
| Variable | Description |
|---|---|
OUTPUT_DIR |
Directory for output files (default: current directory) |
INPUT_SCAN_ALL |
Set to 'true' to scan all files |
INPUT_SCAN_FILES |
Comma-separated list of files to scan |
INPUT_CONSOLE_TABULAR_ENABLED |
Enable tabular console output |
INPUT_VERBOSE |
Enable verbose logging |
| Variable | Description |
|---|---|
SOCKET_S3_ENABLED |
Set to 'true', '1', or 'yes' to enable S3 upload |
SOCKET_S3_BUCKET |
S3 bucket name |
SOCKET_S3_REGION |
S3 bucket region |
SOCKET_S3_ACCESS_KEY_ID |
AWS access key ID |
SOCKET_S3_SECRET_ACCESS_KEY |
AWS secret access key |
All notification integrations support environment variables as alternatives to CLI options. See Notification Options for details.
| Variable | Description |
|---|---|
INPUT_OPENGREP_RULES_DIR |
Override directory for bundled OpenGrep rule files (*.yml) |
INPUT_USE_CUSTOM_SAST_RULES |
Enable repository custom SAST rules |
INPUT_CUSTOM_SAST_RULE_PATH |
Relative directory path for repository custom SAST rules |
INPUT_SAST_IGNORE_OVERRIDES |
Comma-separated rule_id or rule_id:path SAST ignore overrides |
You can provide configuration via a JSON file using --config:
{
"workspace": "/path/to/project",
"output": "security-scan.json",
"console_tabular_enabled": true,
"verbose": false,
"python_sast_enabled": true,
"javascript_sast_enabled": true,
"use_custom_sast_rules": true,
"custom_sast_rule_path": ".socket/rules",
"go_sast_enabled": true,
"sast_ignore_overrides": "js-sql-injection:index.js",
"secrets_enabled": true,
"trufflehog_exclude_dir": "node_modules,vendor,dist,.git",
"show_unverified": false,
"socket_tier_1_enabled": true,
"socket_org": "your-org-slug",
"socket_api_key": "scrt_your_api_key",
"images": "nginx:1.27.4,redis:7.4",
"trivy_vuln_enabled": true,
"slack_webhook_url": "https://hooks.slack.com/services/T00/B00/XXXX",
"github_token": "ghp_your_token"
}Configuration is merged in the following order (later sources override earlier ones):
- Default values
- Environment variables
- Socket Basics API configuration (when available and no
--configfile is used) - JSON configuration file (via
--config) - Command-line arguments
Example:
# Environment sets python_sast_enabled=true
# Dashboard/API sets python_sast_enabled=false
# CLI has --javascript
# Result: JavaScript enabled, Python follows dashboard/API value, other settings from env/API
socket-basics --javascriptsocket-basics \
--workspace /path/to/project \
--python \
--javascript \
--secrets \
--console-tabular-enabledsocket-basics \
--workspace /path/to/project \
--all-languages \
--secrets \
--socket-tier1 \
--images "myapp:1.0.0" \
--console-tabular-enabled \
--verbosesocket-basics \
--workspace /path/to/project \
--python \
--secrets \
--slack-webhook-url "https://hooks.slack.com/..." \
--github-token "ghp_..."Scope every scanner — SAST/OpenGrep included — to only the files the PR changed, so each PR reports findings for its own changes rather than the whole repo:
socket-basics \
--changed-files auto \
--python \
--javascript \
--secrets \
--console-json-enabledsocket-basics \
--images "nginx:1.27.4,postgres:15.8" \
--dockerfiles "Dockerfile" \
--trivy-vuln-enabled \
--console-tabular-enabled