Skip to content

Commit 55c80a6

Browse files
authored
feat(scan): add --reach-retain-facts-file to keep the reachability report (1.1.124) (#1372)
* feat(scan): add --reach-retain-facts-file to keep the reachability report (1.1.124) By default `socket scan create --reach` deletes the `.socket.facts.json` report from the scan directory after a successful scan. The new `--reach-retain-facts-file` flag opts out of that cleanup so the report can be inspected, with a clear warning that the file must be deleted before the next tier 1 scan: a stale facts file is picked up as a pre-generated input and would make those results unreliable. * upgrading coana to version 15.5.4
1 parent feafd78 commit 55c80a6

16 files changed

Lines changed: 57 additions & 9 deletions

CHANGELOG.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
44

55
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
66

7+
## [1.1.124](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.124) - 2026-06-19
8+
9+
### Added
10+
- `socket scan create --reach` accepts a new `--reach-retain-facts-file` flag. By default the CLI deletes the `.socket.facts.json` reachability report from the scan directory after a successful scan; pass this flag to keep it (e.g. for inspection or debugging). **Important:** you must delete the retained `.socket.facts.json` before running a fresh tier 1 reachability scan — a stale file left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable.
11+
12+
### Changed
13+
- Updated the Coana CLI to v `15.5.4`.
14+
715
## [1.1.123](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.123) - 2026-06-18
816

917
### Added

package.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "socket",
3-
"version": "1.1.123",
3+
"version": "1.1.124",
44
"description": "CLI for Socket.dev",
55
"homepage": "https://github.com/SocketDev/socket-cli",
66
"license": "MIT",
@@ -96,7 +96,7 @@
9696
"@babel/preset-typescript": "7.27.1",
9797
"@babel/runtime": "7.28.4",
9898
"@biomejs/biome": "2.2.4",
99-
"@coana-tech/cli": "15.5.0",
99+
"@coana-tech/cli": "15.5.4",
100100
"@cyclonedx/cdxgen": "12.1.2",
101101
"@dotenvx/dotenvx": "1.49.0",
102102
"@eslint/compat": "1.3.2",

pnpm-lock.yaml

Lines changed: 5 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

src/commands/ci/handle-ci.mts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,7 @@ export async function handleCi(autoManifest: boolean): Promise<void> {
6767
reachEnableAnalysisSplitting: false,
6868
reachExcludePaths: [],
6969
reachLazyMode: false,
70+
reachRetainFactsFile: false,
7071
reachSkipCache: false,
7172
reachUseOnlyPregeneratedSboms: false,
7273
reachVersion: undefined,

src/commands/scan/cmd-scan-create.mts

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -264,6 +264,7 @@ async function run(
264264
reachDisableExternalToolChecks,
265265
reachEnableAnalysisSplitting,
266266
reachLazyMode,
267+
reachRetainFactsFile,
267268
reachSkipCache,
268269
reachUseOnlyPregeneratedSboms,
269270
reachVersion,
@@ -302,6 +303,7 @@ async function run(
302303
reachDisableExternalToolChecks: boolean
303304
reachEnableAnalysisSplitting: boolean
304305
reachLazyMode: boolean
306+
reachRetainFactsFile: boolean
305307
reachSkipCache: boolean
306308
reachUseOnlyPregeneratedSboms: boolean
307309
reachVersion: string | undefined
@@ -659,6 +661,7 @@ async function run(
659661
reachEnableAnalysisSplitting: Boolean(reachEnableAnalysisSplitting),
660662
reachExcludePaths,
661663
reachLazyMode: Boolean(reachLazyMode),
664+
reachRetainFactsFile: Boolean(reachRetainFactsFile),
662665
reachSkipCache: Boolean(reachSkipCache),
663666
reachUseOnlyPregeneratedSboms: Boolean(reachUseOnlyPregeneratedSboms),
664667
reachVersion,

src/commands/scan/cmd-scan-create.test.mts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,7 @@ describe('socket scan create', async () => {
6969
--reach-disable-external-tool-checks Disable external tool checks during reachability analysis.
7070
--reach-ecosystems List of ecosystems to conduct reachability analysis on, as either a comma separated value or as multiple flags. Defaults to all ecosystems.
7171
--reach-enable-analysis-splitting Allow the reachability analysis to partition CVEs into buckets that are processed in separate analysis runs. May improve accuracy, but not recommended by default.
72+
--reach-retain-facts-file Keep the \`.socket.facts.json\` reachability report that the analysis writes to the scan directory instead of deleting it after a successful scan. IMPORTANT: you must delete this file before running a fresh tier 1 reachability scan. A stale \`.socket.facts.json\` left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable.
7273
--reach-skip-cache Skip caching-based optimizations. By default, the reachability analysis will use cached configurations from previous runs to speed up the analysis.
7374
--reach-use-only-pregenerated-sboms When using this option, the scan is created based only on pre-generated CDX and SPDX files in your project.
7475
--reach-version Override the version of @coana-tech/cli used for reachability analysis. Default: <coana-version>.

src/commands/scan/cmd-scan-reach.mts

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -137,6 +137,7 @@ async function run(
137137
reachDisableExternalToolChecks,
138138
reachEnableAnalysisSplitting,
139139
reachLazyMode,
140+
reachRetainFactsFile,
140141
reachSkipCache,
141142
reachUseOnlyPregeneratedSboms,
142143
reachVersion,
@@ -161,6 +162,7 @@ async function run(
161162
reachDisableExternalToolChecks: boolean
162163
reachEnableAnalysisSplitting: boolean
163164
reachLazyMode: boolean
165+
reachRetainFactsFile: boolean
164166
reachSkipCache: boolean
165167
reachUseOnlyPregeneratedSboms: boolean
166168
reachVersion: string | undefined
@@ -292,6 +294,7 @@ async function run(
292294
reachEnableAnalysisSplitting: Boolean(reachEnableAnalysisSplitting),
293295
reachExcludePaths,
294296
reachLazyMode: Boolean(reachLazyMode),
297+
reachRetainFactsFile: Boolean(reachRetainFactsFile),
295298
reachSkipCache: Boolean(reachSkipCache),
296299
reachUseOnlyPregeneratedSboms: Boolean(reachUseOnlyPregeneratedSboms),
297300
reachVersion,

src/commands/scan/cmd-scan-reach.test.mts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,7 @@ describe('socket scan reach', async () => {
5151
--reach-disable-external-tool-checks Disable external tool checks during reachability analysis.
5252
--reach-ecosystems List of ecosystems to conduct reachability analysis on, as either a comma separated value or as multiple flags. Defaults to all ecosystems.
5353
--reach-enable-analysis-splitting Allow the reachability analysis to partition CVEs into buckets that are processed in separate analysis runs. May improve accuracy, but not recommended by default.
54+
--reach-retain-facts-file Keep the \`.socket.facts.json\` reachability report that the analysis writes to the scan directory instead of deleting it after a successful scan. IMPORTANT: you must delete this file before running a fresh tier 1 reachability scan. A stale \`.socket.facts.json\` left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable.
5455
--reach-skip-cache Skip caching-based optimizations. By default, the reachability analysis will use cached configurations from previous runs to speed up the analysis.
5556
--reach-use-only-pregenerated-sboms When using this option, the scan is created based only on pre-generated CDX and SPDX files in your project.
5657
--reach-version Override the version of @coana-tech/cli used for reachability analysis. Default: <coana-version>.

src/commands/scan/create-scan-from-github.mts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -266,6 +266,7 @@ async function scanOneRepo(
266266
reachEnableAnalysisSplitting: false,
267267
reachExcludePaths: [],
268268
reachLazyMode: false,
269+
reachRetainFactsFile: false,
269270
reachSkipCache: false,
270271
reachUseOnlyPregeneratedSboms: false,
271272
reachVersion: undefined,

src/commands/scan/exclude-paths.test.mts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@ function makeReachOptions(
3030
reachEnableAnalysisSplitting: false,
3131
reachExcludePaths: [],
3232
reachLazyMode: false,
33+
reachRetainFactsFile: false,
3334
reachSkipCache: false,
3435
reachUseOnlyPregeneratedSboms: false,
3536
reachVersion: undefined,

0 commit comments

Comments
 (0)