diff --git a/README.md b/README.md index 98ae8a6..22bb199 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run Socket Basics - uses: SocketDev/socket-basics@1.0.10 + uses: SocketDev/socket-basics@1.0.11 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -112,7 +112,7 @@ Configure scanning policies, notification channels, and rule sets for your entir **Dashboard-Configured (Enterprise):** ```yaml -- uses: SocketDev/socket-basics@1.0.10 +- uses: SocketDev/socket-basics@1.0.11 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -123,7 +123,7 @@ Configure scanning policies, notification channels, and rule sets for your entir **CLI-Configured:** ```yaml -- uses: SocketDev/socket-basics@1.0.10 +- uses: SocketDev/socket-basics@1.0.11 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -139,10 +139,10 @@ Configure scanning policies, notification channels, and rule sets for your entir ```bash # Build with version tag -docker build -t socketdev/socket-basics:1.0.10 . +docker build -t socketdev/socket-basics:1.0.11 . # Run scan -docker run --rm -v "$PWD:/workspace" socketdev/socket-basics:1.0.10 \ +docker run --rm -v "$PWD:/workspace" socketdev/socket-basics:1.0.11 \ --workspace /workspace \ --python-sast-enabled \ --secret-scanning-enabled \ diff --git a/docs/github-action.md b/docs/github-action.md index 84f3f05..4c7292e 100644 --- a/docs/github-action.md +++ b/docs/github-action.md @@ -38,7 +38,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run Socket Basics - uses: SocketDev/socket-basics@1.0.10 + uses: SocketDev/socket-basics@1.0.11 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -78,7 +78,7 @@ Include these in your workflow's `jobs..permissions` section. **SAST (Static Analysis):** ```yaml -- uses: SocketDev/socket-basics@1.0.10 +- uses: SocketDev/socket-basics@1.0.11 with: github_token: ${{ secrets.GITHUB_TOKEN }} # Enable SAST for specific languages @@ -92,7 +92,7 @@ Include these in your workflow's `jobs..permissions` section. **Secret Scanning:** ```yaml -- uses: SocketDev/socket-basics@1.0.10 +- uses: SocketDev/socket-basics@1.0.11 with: github_token: ${{ secrets.GITHUB_TOKEN }} secret_scanning_enabled: 'true' @@ -104,7 +104,7 @@ Include these in your workflow's `jobs..permissions` section. **Container Scanning:** ```yaml -- uses: SocketDev/socket-basics@1.0.10 +- uses: SocketDev/socket-basics@1.0.11 with: github_token: ${{ secrets.GITHUB_TOKEN }} # Scan Docker images (auto-enables container scanning) @@ -115,7 +115,7 @@ Include these in your workflow's `jobs..permissions` section. **Socket Tier 1 Reachability:** ```yaml -- uses: SocketDev/socket-basics@1.0.10 +- uses: SocketDev/socket-basics@1.0.11 with: github_token: ${{ secrets.GITHUB_TOKEN }} socket_tier_1_enabled: 'true' @@ -124,7 +124,7 @@ Include these in your workflow's `jobs..permissions` section. ### Output Configuration ```yaml -- uses: SocketDev/socket-basics@1.0.10 +- uses: SocketDev/socket-basics@1.0.11 with: github_token: ${{ secrets.GITHUB_TOKEN }} python_sast_enabled: 'true' @@ -154,7 +154,7 @@ Configure Socket Basics centrally from the [Socket Dashboard](https://socket.dev **Enable in workflow:** ```yaml -- uses: SocketDev/socket-basics@1.0.10 +- uses: SocketDev/socket-basics@1.0.11 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -166,7 +166,7 @@ Configure Socket Basics centrally from the [Socket Dashboard](https://socket.dev > **Note:** You can also pass credentials using environment variables instead of the `with:` section: > ```yaml -> - uses: SocketDev/socket-basics@1.0.10 +> - uses: SocketDev/socket-basics@1.0.11 > env: > SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }} > with: @@ -184,7 +184,7 @@ All notification integrations require Socket Enterprise. **Slack Notifications:** ```yaml -- uses: SocketDev/socket-basics@1.0.10 +- uses: SocketDev/socket-basics@1.0.11 with: github_token: ${{ secrets.GITHUB_TOKEN }} socket_org: ${{ secrets.SOCKET_ORG }} @@ -196,7 +196,7 @@ All notification integrations require Socket Enterprise. **Jira Issue Creation:** ```yaml -- uses: SocketDev/socket-basics@1.0.10 +- uses: SocketDev/socket-basics@1.0.11 with: github_token: ${{ secrets.GITHUB_TOKEN }} socket_org: ${{ secrets.SOCKET_ORG }} @@ -211,7 +211,7 @@ All notification integrations require Socket Enterprise. **Microsoft Teams:** ```yaml -- uses: SocketDev/socket-basics@1.0.10 +- uses: SocketDev/socket-basics@1.0.11 with: github_token: ${{ secrets.GITHUB_TOKEN }} socket_org: ${{ secrets.SOCKET_ORG }} @@ -223,7 +223,7 @@ All notification integrations require Socket Enterprise. **Generic Webhook:** ```yaml -- uses: SocketDev/socket-basics@1.0.10 +- uses: SocketDev/socket-basics@1.0.11 with: github_token: ${{ secrets.GITHUB_TOKEN }} socket_org: ${{ secrets.SOCKET_ORG }} @@ -235,7 +235,7 @@ All notification integrations require Socket Enterprise. **SIEM Integration:** ```yaml -- uses: SocketDev/socket-basics@1.0.10 +- uses: SocketDev/socket-basics@1.0.11 with: github_token: ${{ secrets.GITHUB_TOKEN }} socket_org: ${{ secrets.SOCKET_ORG }} @@ -271,7 +271,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run Socket Basics - uses: SocketDev/socket-basics@1.0.10 + uses: SocketDev/socket-basics@1.0.11 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -317,7 +317,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run Full Security Scan - uses: SocketDev/socket-basics@1.0.10 + uses: SocketDev/socket-basics@1.0.11 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -368,10 +368,10 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build Docker Image - run: docker build -t myapp:1.0.10:${{ github.sha }} . + run: docker build -t myapp:1.0.11:${{ github.sha }} . - name: Scan Container - uses: SocketDev/socket-basics@1.0.10 + uses: SocketDev/socket-basics@1.0.11 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -404,7 +404,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run Socket Basics - uses: SocketDev/socket-basics@1.0.10 + uses: SocketDev/socket-basics@1.0.11 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -497,7 +497,7 @@ env: ```yaml steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - Must be first - - uses: SocketDev/socket-basics@1.0.10 + - uses: SocketDev/socket-basics@1.0.11 ``` ### PR Comments Not Appearing diff --git a/docs/local-install-docker.md b/docs/local-install-docker.md index 487fa6f..03343c7 100644 --- a/docs/local-install-docker.md +++ b/docs/local-install-docker.md @@ -17,7 +17,7 @@ Run Socket Basics locally using Docker without installing any security tools on # 1. Clone and build git clone https://github.com/SocketDev/socket-basics.git cd socket-basics -docker build -t socket-basics:1.0.10 . +docker build -t socket-basics:1.0.11 . # 2. Create .env file with your credentials cat > .env << 'EOF' @@ -29,7 +29,7 @@ EOF docker run --rm \ -v "$PWD:/workspace" \ --env-file .env \ - socket-basics:1.0.10 \ + socket-basics:1.0.11 \ --workspace /workspace \ --python \ --secrets \ @@ -46,10 +46,10 @@ git clone https://github.com/SocketDev/socket-basics.git cd socket-basics # Build with version tag -docker build -t socket-basics:1.0.10 . +docker build -t socket-basics:1.0.11 . # Or build with latest tag -docker build -t socket-basics:1.0.10:latest . +docker build -t socket-basics:1.0.11:latest . # Verify the build docker images | grep socket-basics @@ -59,21 +59,21 @@ docker images | grep socket-basics ```bash # Use your own image name -docker build -t myorg/security-scanner:1.0.10 . +docker build -t myorg/security-scanner:1.0.11 . # Build for specific platform (e.g., for M1/M2 Macs) -docker build --platform linux/amd64 -t socket-basics:1.0.10 . +docker build --platform linux/amd64 -t socket-basics:1.0.11 . ``` ### Verify Installation ```bash # Check that all tools are available in the container -docker run --rm socket-basics:1.0.10 socket-basics --version -docker run --rm socket-basics:1.0.10 socket --version -docker run --rm socket-basics:1.0.10 trivy --version -docker run --rm socket-basics:1.0.10 semgrep --version -docker run --rm socket-basics:1.0.10 trufflehog --version +docker run --rm socket-basics:1.0.11 socket-basics --version +docker run --rm socket-basics:1.0.11 socket --version +docker run --rm socket-basics:1.0.11 trivy --version +docker run --rm socket-basics:1.0.11 semgrep --version +docker run --rm socket-basics:1.0.11 trufflehog --version ``` ## Running Scans @@ -86,7 +86,7 @@ Mount your project directory into the container: # Scan current directory docker run --rm \ -v "$PWD:/workspace" \ - socket-basics:1.0.10 \ + socket-basics:1.0.11 \ --workspace /workspace \ --python \ --secrets \ @@ -103,7 +103,7 @@ docker run --rm \ # Scan a specific project directory docker run --rm \ -v "/path/to/your/project:/workspace" \ - socket-basics:1.0.10 \ + socket-basics:1.0.11 \ --workspace /workspace \ --javascript \ --secrets @@ -114,7 +114,7 @@ docker run --rm \ ```bash docker run --rm \ -v "$PWD:/workspace" \ - socket-basics:1.0.10 \ + socket-basics:1.0.11 \ --workspace /workspace \ --all-languages \ --secrets \ @@ -162,7 +162,7 @@ VERBOSE=false docker run --rm \ -v "$PWD:/workspace" \ --env-file .env \ - socket-basics:1.0.10 \ + socket-basics:1.0.11 \ --workspace /workspace \ --python \ --secrets @@ -177,7 +177,7 @@ docker run --rm \ -v "$PWD:/workspace" \ -e "SOCKET_SECURITY_API_KEY=scrt_your_api_key" \ -e "SOCKET_ORG=your-org-slug" \ - socket-basics:1.0.10 \ + socket-basics:1.0.11 \ --workspace /workspace \ --python \ --secrets \ @@ -199,7 +199,7 @@ docker run --rm \ --env-file .env.socket \ --env-file .env.notifiers \ --env-file .env.scanning \ - socket-basics:1.0.10 \ + socket-basics:1.0.11 \ --workspace /workspace \ --all-languages ``` @@ -218,7 +218,7 @@ docker run --rm \ -v "$PWD:/workspace" \ -e "SOCKET_SECURITY_API_KEY=$SOCKET_SECURITY_API_KEY" \ -e "SOCKET_ORG=$SOCKET_ORG" \ - socket-basics:1.0.10 \ + socket-basics:1.0.11 \ --workspace /workspace \ --python ``` @@ -234,7 +234,7 @@ docker run --rm \ -v "$PWD:/workspace" \ -v "/var/run/docker.sock:/var/run/docker.sock" \ --env-file .env \ - socket-basics:1.0.10 \ + socket-basics:1.0.11 \ --workspace /workspace \ --images "nginx:latest,redis:7" \ --console-tabular-enabled @@ -255,7 +255,7 @@ docker run --rm \ -v "$PWD:/workspace" \ -v "$PWD/scan-results:/results" \ --env-file .env \ - socket-basics:1.0.10 \ + socket-basics:1.0.11 \ --workspace /workspace \ --python \ --secrets \ @@ -272,7 +272,7 @@ docker run --rm -it \ -v "$PWD:/workspace" \ --env-file .env \ --entrypoint /bin/bash \ - socket-basics:1.0.10 + socket-basics:1.0.11 # Inside container, run commands manually: # cd /workspace @@ -301,7 +301,7 @@ docker run --rm \ -v "$PWD:/workspace" \ -v "$PWD/socket-config.json:/config.json" \ --env-file .env \ - socket-basics:1.0.10 \ + socket-basics:1.0.11 \ --workspace /workspace \ --config /config.json ``` @@ -325,7 +325,7 @@ for PROJECT in "${PROJECTS[@]}"; do docker run --rm \ -v "$PROJECT:/workspace" \ --env-file .env \ - socket-basics:1.0.10 \ + socket-basics:1.0.11 \ --workspace /workspace \ --all-languages \ --secrets \ @@ -345,7 +345,7 @@ pipeline { stage('Security Scan') { steps { script { - docker.image('socket-basics:1.0.10').inside( + docker.image('socket-basics:1.0.11').inside( "-v ${WORKSPACE}:/workspace --env-file .env" ) { sh ''' @@ -367,7 +367,7 @@ pipeline { ```yaml security-scan: - image: socket-basics:1.0.10 + image: socket-basics:1.0.11 stage: test script: - socket-basics @@ -393,7 +393,7 @@ security-scan: docker run --rm \ -v "$PWD:/workspace" \ --user "$(id -u):$(id -g)" \ - socket-basics:1.0.10 \ + socket-basics:1.0.11 \ --workspace /workspace ``` @@ -412,14 +412,14 @@ security-scan: ```bash docker run --rm \ -v "$(pwd):/workspace" \ # Use $(pwd) instead of $PWD - socket-basics:1.0.10 + socket-basics:1.0.11 ``` 2. Verify mount: ```bash docker run --rm \ -v "$PWD:/workspace" \ - socket-basics:1.0.10 \ + socket-basics:1.0.11 \ ls -la /workspace ``` @@ -449,7 +449,7 @@ security-scan: docker run --rm \ -v "$PWD:/workspace" \ --env-file "$(pwd)/.env" \ - socket-basics:1.0.10 + socket-basics:1.0.11 ``` ### Docker Socket Permission Denied @@ -497,7 +497,7 @@ security-scan: ```bash docker run --rm \ -v "$PWD:/workspace" \ - socket-basics:1.0.10 \ + socket-basics:1.0.11 \ --workspace /workspace \ --python \ --secrets \ @@ -518,7 +518,7 @@ security-scan: ```bash docker run --rm \ -v "$PWD:/workspace" \ - socket-basics:1.0.10 \ + socket-basics:1.0.11 \ --workspace /workspace \ --output /workspace/results.json # Save to mounted directory ``` @@ -529,7 +529,7 @@ security-scan: docker run --rm \ -v "$PWD:/workspace" \ -v "$PWD/results:/results" \ - socket-basics:1.0.10 \ + socket-basics:1.0.11 \ --workspace /workspace \ --output /results/scan.json ``` @@ -540,14 +540,14 @@ Add these to your `~/.bashrc` or `~/.zshrc` for quick access: ```bash # Socket Basics Docker aliases -alias sb-docker='docker run --rm -v "$PWD:/workspace" --env-file .env socket-basics:1.0.10 --workspace /workspace' +alias sb-docker='docker run --rm -v "$PWD:/workspace" --env-file .env socket-basics:1.0.11 --workspace /workspace' alias sb-quick='sb-docker --secrets --console-tabular-enabled' alias sb-python='sb-docker --python --secrets --console-tabular-enabled' alias sb-js='sb-docker --javascript --secrets --console-tabular-enabled' alias sb-all='sb-docker --all-languages --secrets --socket-tier1 --console-tabular-enabled' # Rebuild image -alias sb-build='docker build -t socket-basics:1.0.10 .' +alias sb-build='docker build -t socket-basics:1.0.11 .' ``` Usage: @@ -583,7 +583,7 @@ set -e # Configuration PROJECT_DIR="$(pwd)" RESULTS_DIR="./scan-results" -IMAGE_NAME="socket-basics:1.0.10" +IMAGE_NAME="socket-basics:1.0.11" ENV_FILE=".env" # Create results directory diff --git a/docs/pre-commit-hook.md b/docs/pre-commit-hook.md index eedc172..836a82a 100644 --- a/docs/pre-commit-hook.md +++ b/docs/pre-commit-hook.md @@ -39,7 +39,7 @@ git clone https://github.com/SocketDev/socket-basics.git cd socket-basics # Build the Docker image with version tag -docker build -t socket-basics:1.0.10 . +docker build -t socket-basics:1.0.11 . ``` **2. Create pre-commit hook:** diff --git a/pyproject.toml b/pyproject.toml index 8d2c37a..f5f8a4e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "socket_basics" -version = "1.0.10" +version = "1.0.11" description = "Socket Basics with integrated SAST, secret scanning, and container analysis" readme = "README.md" requires-python = ">=3.10" diff --git a/socket_basics/core/config.py b/socket_basics/core/config.py index 0a7465a..acd6372 100644 --- a/socket_basics/core/config.py +++ b/socket_basics/core/config.py @@ -1313,7 +1313,15 @@ def _detect_git_changed_files(workspace_path: str, mode: str = 'staged', commit: """ try: from subprocess import check_output, CalledProcessError - ws = Path(workspace_path) + import subprocess + + # Prefer GITHUB_WORKSPACE if set (GitHub Actions environment) + # Otherwise use the provided workspace_path + if os.environ.get('GITHUB_WORKSPACE'): + ws = Path(os.environ['GITHUB_WORKSPACE']) + else: + ws = Path(workspace_path) if workspace_path else Path.cwd() + if not ws.exists(): return [] @@ -1322,19 +1330,29 @@ def _detect_git_changed_files(workspace_path: str, mode: str = 'staged', commit: if not git_dir.exists(): return [] - if mode == 'staged': - # staged but not yet committed - out = check_output(['git', '-C', str(ws), 'diff', '--name-only', '--cached'], text=True) - elif mode == 'current-commit': - # files that are part of HEAD commit - out = check_output(['git', '-C', str(ws), 'diff-tree', '--no-commit-id', '--name-only', '-r', 'HEAD'], text=True) - elif mode == 'commit' and commit: - out = check_output(['git', '-C', str(ws), 'diff-tree', '--no-commit-id', '--name-only', '-r', commit], text=True) - else: - return [] + # Change to workspace directory before running git commands + # This ensures git runs in the correct repository context + original_cwd = os.getcwd() + try: + os.chdir(str(ws)) + + if mode == 'staged': + # staged but not yet committed + out = check_output(['git', 'diff', '--name-only', '--cached'], text=True, stderr=subprocess.DEVNULL) + elif mode == 'current-commit': + # files that are part of HEAD commit + out = check_output(['git', 'diff-tree', '--no-commit-id', '--name-only', '-r', 'HEAD'], text=True, stderr=subprocess.DEVNULL) + elif mode == 'commit' and commit: + out = check_output(['git', 'diff-tree', '--no-commit-id', '--name-only', '-r', commit], text=True, stderr=subprocess.DEVNULL) + else: + return [] - files = [line.strip() for line in out.splitlines() if line.strip()] - return files + files = [line.strip() for line in out.splitlines() if line.strip()] + return files + finally: + # Always restore original working directory + os.chdir(original_cwd) + except CalledProcessError: return [] except Exception: diff --git a/socket_basics/version.py b/socket_basics/version.py index 9fd0f8d..9eb1ebe 100644 --- a/socket_basics/version.py +++ b/socket_basics/version.py @@ -1 +1 @@ -__version__ = "1.0.10" +__version__ = "1.0.11"