Socket Python CLI for Socket scans, diff reporting, reachability analysis, and SARIF/GitLab exports.
Comprehensive docs are available in docs/ for full flag reference, CI/CD-specific guidance, and contributor setup.
pip install socketsecurityexport SOCKET_SECURITY_API_TOKEN="<token>"socketcli --target-path .This section covers the paved path/common workflows.
For advanced options and exhaustive details, see docs/cli-reference.md.
For CI/CD-specific guidance, see docs/ci-cd.md.
socketcli --target-path .socketcli --enable-gitlab-security --gitlab-security-file gl-dependency-scanning-report.jsonsocketcli \
--reach \
--sarif-file results.sarif \
--sarif-scope full \
--sarif-grouping alert \
--sarif-reachability reachable \
--disable-blockingsocketcli \
--reach \
--sarif-file results.sarif \
--sarif-scope diff \
--sarif-reachability reachable \
--strict-blockingsocketcli \
--reach \
--sarif-file results.sarif \
--sarif-scope full \
--sarif-grouping instance \
--sarif-reachability all \
--disable-blocking| Use case | Recommended mode | Key flags |
|---|---|---|
| Basic policy enforcement in CI | Diff-based policy check | --strict-blocking |
| Legal/compliance artifact generation | Legal preset | --legal |
| Reachable-focused SARIF for reporting | Full-scope grouped SARIF | --reach --sarif-scope full --sarif-grouping alert --sarif-reachability reachable --sarif-file <path> |
| Detailed reachability export for investigations | Full-scope instance SARIF | --reach --sarif-scope full --sarif-grouping instance --sarif-reachability all --sarif-file <path> |
| Net-new PR findings only | Diff-scope SARIF | --reach --sarif-scope diff --sarif-reachability reachable --sarif-file <path> |
Dashboard parity note:
- Full-scope SARIF is the closest match for dashboard-style filtering.
- Exact result counts can still differ from the dashboard due to backend/API consolidation differences and grouping semantics.
- See
docs/troubleshooting.md#dashboard-vs-cli-result-counts.
Use --config <path> with .toml or .json to avoid long command lines.
Precedence order:
CLI flags > environment variables > config file > built-in defaults
Example:
[socketcli]
repo = "example-repo"
reach = true
sarif_scope = "full"
sarif_grouping = "alert"
sarif_reachability = "reachable"
sarif_file = "reachable.sarif"Equivalent JSON:
{
"socketcli": {
"repo": "example-repo",
"reach": true,
"sarif_scope": "full",
"sarif_grouping": "alert",
"sarif_reachability": "reachable",
"sarif_file": "reachable.sarif"
}
}Run:
socketcli --config .socketcli.toml --target-path .Legal/compliance preset example:
socketcli --legal --target-path .This preset enables license generation and writes default artifacts unless you override them:
socket-report.jsonsocket-summary.txtsocket-report-link.txtsocket-sbom.jsonsocket-license.json
FOSSA-compatibility shaped legal artifacts:
socketcli --legal-format fossa --target-path .This switches the JSON report and legal artifact payloads to FOSSA-style compatibility shapes:
- the analyze artifact becomes a
project/vulnerability/licensing/qualityreport - the SBOM artifact becomes a FOSSA-attribution-style payload with
copyrightsByLicense,deepDependencies,directDependencies,licenses, andprojectkeys
When --legal-format fossa is used without explicit output paths, the defaults are closer to the FOSSA pipeline contract:
fossa-analyze.jsonfossa-test.txtfossa-link.txtfossa-sbom.json
Reference sample configs:
TOML:
examples/config/sarif-dashboard-parity.tomlexamples/config/sarif-instance-detail.tomlexamples/config/sarif-diff-ci-cd.toml
JSON:
examples/config/sarif-dashboard-parity.jsonexamples/config/sarif-instance-detail.jsonexamples/config/sarif-diff-ci-cd.json
Prebuilt workflow examples:
Minimal pattern:
- name: Run Socket CLI
run: socketcli --config .socketcli.toml --target-path .
env:
SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_SECURITY_API_TOKEN }}| Code | Meaning |
|---|---|
0 |
Clean scan — no blocking issues (or --disable-blocking set) |
1 |
Blocking security finding(s) detected |
2 |
Scan interrupted (SIGINT / Ctrl+C) |
3 |
Infrastructure or API error (timeout, network failure, unexpected error) |
--exit-code-on-api-error <N> remaps the infrastructure-error code (3) to any
value — e.g. a Buildkite soft_fail code, or 0 to swallow infra errors. Exit
3 is a Socket convention, not an industry standard.
The two flags that affect exit codes can cancel each other out, so the order of precedence matters:
--disable-blockingwins over everything. It forces exit0for all outcomes — security findings and infrastructure errors. If you set it,--exit-code-on-api-errorhas no effect (you'll always get0).--exit-code-on-api-erroronly applies when--disable-blockingis not set. It changes the infra-error code (and the generic-error code); it never touches the security-finding code (1).
So for the common "don't let Socket outages block my pipeline, but still fail on
real findings" goal, use --exit-code-on-api-error without --disable-blocking:
# Buildkite: soft-fail only on infrastructure errors, still block on findings
steps:
- label: ":lock: Socket Security Scan"
command: "socketcli --exit-code-on-api-error 100 ..." # NOT --disable-blocking
soft_fail:
- exit_status: 100Combining --disable-blocking with --exit-code-on-api-error 100 would make the
scan exit 0 on both findings and outages — the soft_fail: 100 rule would
never match, and real findings would stop blocking. That's usually not what you
want.
After generating SARIF files, validate shape/count quickly:
jq '.runs[0].results | length' results.sarif
jq -r '.runs[0].results[]?.properties.reachability' results.sarif | sort -uFor side-by-side comparisons:
jq '.runs[0].results | length' sarif-dashboard-parity-reachable.sarif
jq '.runs[0].results | length' sarif-full-instance-all.sarif
jq '.runs[0].results | length' sarif-diff-reachable.sarif- Full CLI reference:
docs/cli-reference.md - CI/CD guide:
docs/ci-cd.md - Troubleshooting guide:
docs/troubleshooting.md - Development guide:
docs/development.md