Merge main into mucha-dev-gitlab-security-output (using main versions)

Author: dacoburn

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 2.2.64
+
+- Included PyPy in the Docker image.
+
 ## 2.2.57
 
 - Fixed Dockerfile to set `GOROOT` to `/usr/lib/go` when using system Go (`GO_VERSION=system`) instead of always using `/usr/local/go`.

Dockerfile

@@ -58,6 +58,22 @@ RUN if [ "$DOTNET_VERSION" = "6" ]; then \
         echo "Unsupported .NET version: $DOTNET_VERSION. Supported: 6, 8" && exit 1; \
     fi
 
+# Install PyPy (Alpine-compatible build for x86_64 only)
+# PyPy is an alternative Python interpreter that makes the Python reachability analysis faster.
+# This is a custom build of PyPy3.11 for Alpine on x86-64.
+ARG TARGETARCH  # Passed by Docker buildx
+RUN if [ "$TARGETARCH" = "amd64" ]; then \
+        PYPY_URL="https://github.com/BarrensZeppelin/alpine-pypy/releases/download/alp3.23.1-pypy3.11-7.3.20/pypy3.11-v7.3.20-linux64-alpine3.21.tar.bz2" && \
+        PYPY_SHA256="60847fea6ffe96f10a3cd4b703686e944bb4fbcc01b7200c044088dd228425e1" && \
+        curl -L -o /tmp/pypy.tar.bz2 "$PYPY_URL" && \
+        echo "$PYPY_SHA256  /tmp/pypy.tar.bz2" | sha256sum -c - && \
+        mkdir -p /opt/pypy && \
+        tar -xj --strip-components=1 -C /opt/pypy -f /tmp/pypy.tar.bz2 && \
+        rm /tmp/pypy.tar.bz2 && \
+        ln -s /opt/pypy/bin/pypy3 /bin/pypy3 && \
+        pypy3 --version; \
+    fi
+
 # Install additional tools
 RUN npm install @coana-tech/cli socket -g && \
     gem install bundler && \
@@ -104,4 +120,4 @@ RUN mkdir -p /go/src && chmod -R 777 /go
 COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 RUN chmod +x /usr/local/bin/docker-entrypoint.sh
 
-ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]

README.md

@@ -222,6 +222,7 @@ The CLI will automatically install @coana-tech/cli if not present. Use `--reach`
 |:-------------------------|:---------|:--------|:----------------------------------------------------------------------|
 | --ignore-commit-files    | False    | False   | Ignore commit files                                                   |
 | --disable-blocking       | False    | False   | Disable blocking mode                                                 |
+| --strict-blocking        | False    | False   | Fail on ANY security policy violations (blocking severity), not just new ones. Only works in diff mode. See [Strict Blocking Mode](#strict-blocking-mode) for details. |
 | --enable-diff            | False    | False   | Enable diff mode even when using --integration api (forces diff mode without SCM integration) |
 | --scm                    | False    | api     | Source control management type                                        |
 | --timeout                | False    |         | Timeout in seconds for API requests                                   |
@@ -357,6 +358,99 @@ Bot mode (`bot_configs` array items):
 - `alert_types` (array, optional): Only send specific alert types
 - `reachability_alerts_only` (boolean, default: false): Only send reachable vulnerabilities when using `--reach`
 
+## Strict Blocking Mode
+
+The `--strict-blocking` flag enforces a zero-tolerance security policy by failing builds when **ANY** security violations with blocking severity exist, not just new ones introduced in the current changes.
+
+### Standard vs Strict Blocking Behavior
+
+**Standard Behavior (Default)**:
+- ✅ Passes if no NEW violations are introduced
+- ❌ Fails only on NEW violations from your changes
+- 🟡 Existing violations are ignored
+
+**Strict Blocking Behavior (`--strict-blocking`)**:
+- ✅ Passes only if NO violations exist (new or existing)
+- ❌ Fails on ANY violation (new OR existing)
+- 🔴 Enforces zero-tolerance policy
+
+### Usage Examples
+
+**Basic strict blocking:**
+```bash
+socketcli --target-path ./my-project --strict-blocking
+```
+
+**In GitLab CI:**
+```bash
+socketcli --target-path $CI_PROJECT_DIR --scm gitlab --pr-number ${CI_MERGE_REQUEST_IID:-0} --strict-blocking
+```
+
+**In GitHub Actions:**
+```bash
+socketcli --target-path $GITHUB_WORKSPACE --scm github --pr-number $PR_NUMBER --strict-blocking
+```
+
+### Output Differences
+
+**Standard scan output:**
+```
+Security issues detected by Socket Security:
+  - NEW blocking issues: 2
+  - NEW warning issues: 1
+```
+
+**Strict blocking scan output:**
+```
+Security issues detected by Socket Security:
+  - NEW blocking issues: 2
+  - NEW warning issues: 1
+  - EXISTING blocking issues: 5 (causing failure due to --strict-blocking)
+  - EXISTING warning issues: 3
+```
+
+### Use Cases
+
+1. **Zero-Tolerance Security Policy**: Enforce that no security violations exist in your codebase at any time
+2. **Gradual Security Improvement**: Use alongside standard scans to monitor existing violations while blocking new ones
+3. **Protected Branch Enforcement**: Require all violations to be resolved before merging to main/production
+4. **Security Audits**: Scheduled scans that fail if any violations accumulate
+
+### Important Notes
+
+- **Diff Mode Only**: The flag only works in diff mode (with SCM integration). In API mode, a warning is logged.
+- **Error-Level Only**: Only fails on `error=True` alerts (blocking severity), not warnings.
+- **Priority**: `--disable-blocking` takes precedence - if both flags are set, the build will always pass.
+- **First Scan**: On the very first scan of a repository, there are no "existing" violations, so behavior is identical to standard mode.
+
+### Flag Combinations
+
+**Strict blocking with debugging:**
+```bash
+socketcli --strict-blocking --enable-debug
+```
+
+**Strict blocking with JSON output:**
+```bash
+socketcli --strict-blocking --enable-json > security-report.json
+```
+
+**Override for testing** (passes even with violations):
+```bash
+socketcli --strict-blocking --disable-blocking
+```
+
+### Migration Strategy
+
+**Phase 1: Assessment** - Add strict scan with `allow_failure: true` in CI
+**Phase 2: Remediation** - Fix or triage all violations
+**Phase 3: Enforcement** - Set `allow_failure: false` to block merges
+
+For complete GitLab CI/CD examples, see:
+- [`.gitlab-ci-strict-blocking-demo.yml`](.gitlab-ci-strict-blocking-demo.yml) - Comprehensive demo
+- [`.gitlab-ci-strict-blocking-production.yml`](.gitlab-ci-strict-blocking-production.yml) - Production-ready template
+- [`STRICT-BLOCKING-GITLAB-CI.md`](STRICT-BLOCKING-GITLAB-CI.md) - Full documentation
+
 ## Automatic Git Detection
 
 The CLI now automatically detects repository information from your git environment, significantly simplifying usage in CI/CD pipelines:

pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.3.0"
+version = "2.2.66"
 requires-python = ">= 3.10"
 license = {"file" = "LICENSE"}
 dependencies = [

socketsecurity/__init__.py

@@ -1,3 +1,3 @@
 __author__ = 'socket.dev'
-__version__ = '2.3.0'
+__version__ = '2.2.66'
 USER_AGENT = f'SocketPythonCLI/{__version__}'

socketsecurity/config.py

@@ -47,6 +47,7 @@ class CliConfig:
     files: str = None
     ignore_commit_files: bool = False
     disable_blocking: bool = False
+    strict_blocking: bool = False
     integration_type: IntegrationType = "api"
     integration_org_slug: Optional[str] = None
     pending_head: bool = False
@@ -127,6 +128,7 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig':
             'files': args.files,
             'ignore_commit_files': args.ignore_commit_files,
             'disable_blocking': args.disable_blocking,
+            'strict_blocking': args.strict_blocking,
             'integration_type': args.integration,
             'pending_head': args.pending_head,
             'timeout': args.timeout,
@@ -540,6 +542,12 @@ def create_argument_parser() -> argparse.ArgumentParser:
         action="store_true",
         help=argparse.SUPPRESS
     )
+    advanced_group.add_argument(
+        "--strict-blocking",
+        dest="strict_blocking",
+        action="store_true",
+        help="Fail on ANY security policy violations (blocking severity), not just new ones. Only works in diff mode."
+    )
     advanced_group.add_argument(
         "--enable-diff",
         dest="enable_diff",

socketsecurity/core/__init__.py

@@ -1091,7 +1091,13 @@ def create_new_diff(
             packages
         ) = self.get_added_and_removed_packages(head_full_scan_id, new_full_scan.id)
 
-        diff = self.create_diff_report(added_packages, removed_packages)
+        # Separate unchanged packages from added/removed for --strict-blocking support
+        unchanged_packages = {
+            pkg_id: pkg for pkg_id, pkg in packages.items()
+            if pkg_id not in added_packages and pkg_id not in removed_packages
+        }
+
+        diff = self.create_diff_report(added_packages, removed_packages, unchanged_packages)
         diff.packages = packages
 
         base_socket = "https://socket.dev/dashboard/org"
@@ -1114,6 +1120,7 @@ def create_diff_report(
         self,
         added_packages: Dict[str, Package],
         removed_packages: Dict[str, Package],
+        unchanged_packages: Optional[Dict[str, Package]] = None,
         direct_only: bool = True
     ) -> Diff:
         """
@@ -1123,10 +1130,12 @@ def create_diff_report(
         1. Records new/removed packages (direct only by default)
         2. Collects alerts from both sets of packages
         3. Determines new capabilities introduced
+        4. Optionally collects alerts from unchanged packages for --strict-blocking
 
         Args:
             added_packages: Dict of packages added in new scan
             removed_packages: Dict of packages removed in new scan
+            unchanged_packages: Dict of packages that didn't change (for --strict-blocking)
             direct_only: If True, only direct dependencies are included in new/removed lists
                         (but alerts are still processed for all packages)
 
@@ -1137,6 +1146,7 @@ def create_diff_report(
 
         alerts_in_added_packages: Dict[str, List[Issue]] = {}
         alerts_in_removed_packages: Dict[str, List[Issue]] = {}
+        alerts_in_unchanged_packages: Dict[str, List[Issue]] = {}
 
         seen_new_packages = set()
         seen_removed_packages = set()
@@ -1169,11 +1179,34 @@ def create_diff_report(
                 packages=removed_packages
             )
 
+        # Process unchanged packages for --strict-blocking support
+        if unchanged_packages:
+            for package_id, package in unchanged_packages.items():
+                # Skip packages that are in added or removed (they're already processed)
+                if package_id in added_packages or package_id in removed_packages:
+                    continue
+
+                self.add_package_alerts_to_collection(
+                    package=package,
+                    alerts_collection=alerts_in_unchanged_packages,
+                    packages=unchanged_packages
+                )
+
         diff.new_alerts = Core.get_new_alerts(
             alerts_in_added_packages,
             alerts_in_removed_packages
         )
 
+        # Get unchanged alerts (for --strict-blocking mode)
+        diff.unchanged_alerts = Core.get_unchanged_alerts(
+            alerts_in_unchanged_packages
+        )
+
+        # Get removed alerts (for completeness)
+        diff.removed_alerts = Core.get_removed_alerts(
+            alerts_in_removed_packages
+        )
+
         diff.new_capabilities = Core.get_capabilities_for_added_packages(added_packages)
 
         Core.add_purl_capabilities(diff)
@@ -1433,3 +1466,62 @@ def get_new_alerts(
                             consolidated_alerts.add(alert_str)
 
         return alerts
+
+    @staticmethod
+    def get_unchanged_alerts(
+        unchanged_package_alerts: Dict[str, List[Issue]]
+    ) -> List[Issue]:
+        """
+        Extract all alerts from unchanged packages that are errors or warnings.
+
+        This is used for --strict-blocking mode to identify existing violations
+        that should cause builds to fail.
+
+        Args:
+            unchanged_package_alerts: Dictionary of alerts from packages that didn't change
+
+        Returns:
+            List of all error/warning alerts from unchanged packages
+        """
+        alerts: List[Issue] = []
+        consolidated_alerts = set()
+
+        for alert_key in unchanged_package_alerts:
+            for alert in unchanged_package_alerts[alert_key]:
+                # Consolidate by package and alert type
+                alert_str = f"{alert.purl},{alert.type}"
+
+                # Only include error or warning alerts
+                if (alert.error or alert.warn) and alert_str not in consolidated_alerts:
+                    alerts.append(alert)
+                    consolidated_alerts.add(alert_str)
+
+        return alerts
+
+    @staticmethod
+    def get_removed_alerts(
+        removed_package_alerts: Dict[str, List[Issue]]
+    ) -> List[Issue]:
+        """
+        Extract all alerts from removed packages.
+
+        This is mainly for informational purposes - to show alerts that were removed.
+
+        Args:
+            removed_package_alerts: Dictionary of alerts from packages that were removed
+
+        Returns:
+            List of all alerts from removed packages
+        """
+        alerts: List[Issue] = []
+        consolidated_alerts = set()
+
+        for alert_key in removed_package_alerts:
+            for alert in removed_package_alerts[alert_key]:
+                alert_str = f"{alert.purl},{alert.type}"
+
+                if alert_str not in consolidated_alerts:
+                    alerts.append(alert)
+                    consolidated_alerts.add(alert_str)
+
+        return alerts

socketsecurity/core/classes.py

@@ -474,6 +474,8 @@ class Diff:
     packages: dict[str, Package]
     new_capabilities: Dict[str, List[str]]
     new_alerts: list[Issue]
+    unchanged_alerts: list[Issue]
+    removed_alerts: list[Issue]
     id: str
     sbom: str
     report_url: str
@@ -490,6 +492,10 @@ def __init__(self, **kwargs):
             self.removed_packages = []
         if not hasattr(self, "new_alerts"):
             self.new_alerts = []
+        if not hasattr(self, "unchanged_alerts"):
+            self.unchanged_alerts = []
+        if not hasattr(self, "removed_alerts"):
+            self.removed_alerts = []
         if not hasattr(self, "new_capabilities"):
             self.new_capabilities = {}
 
@@ -508,6 +514,8 @@ def to_dict(self) -> dict:
             "new_capabilities": self.new_capabilities,
             "removed_packages": [p.to_dict() for p in self.removed_packages],
             "new_alerts": [alert.__dict__ for alert in self.new_alerts],
+            "unchanged_alerts": [alert.__dict__ for alert in self.unchanged_alerts] if hasattr(self, "unchanged_alerts") else [],
+            "removed_alerts": [alert.__dict__ for alert in self.removed_alerts] if hasattr(self, "removed_alerts") else [],
             "id": self.id,
             "sbom": self.sbom if hasattr(self, "sbom") else [],
             "packages": {k: v.to_dict() for k, v in self.packages.items()} if hasattr(self, "packages") else {},