feat: Add SCM-aware manifest file URL generation and fix report links #119
+123
−21
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add get_manifest_file_url() method with GitHub/GitLab/Bitbucket support - Support environment variables for custom SCM servers (GitHub Enterprise, self-hosted GitLab, Bitbucket Server) - Fix manifest file links in security comments to use proper SCM URLs instead of Socket dashboard URLs - Fix 'View full report' links to use diff_url for PRs and report_url for non-PR scans - Add base_path parameter to create_full_scan() for improved path handling - Update socketdev dependency to >=3.0.5 for latest features - Add os module import for environment variable access - Update type hints for better code clarity
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
🚀 Preview package published! Install with: pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.2.8.dev1Docker image: |
dachi-dev
approved these changes
Sep 9, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bug Description:
Manifest files in security comments were incorrectly linking to Socket dashboard URLs (like
https://socket.dev/dashboard/org/socketdev-demo/diff/06e956ff...) instead of proper SCM URLs (likehttps://github.com/socketdev-demo/javascript-threats/blob/main/package.json) whenscm=github/gitlab/bitbucket. Additionally, "View full report" links were using the wrong URL type for different scan contexts.Impact:
Root Cause
The
Messages.security_comment_template()method was directly usingalert.manifestsas href URLs without any processing. The manifest paths contained build agent paths and weren't converted to proper SCM URLs based on the repository type. Additionally, the method was missing logic to generate SCM-specific URLs using repository configuration and environment variables.The "View full report" link was hardcoded to use
report_urlinstead of intelligently choosing betweendiff_url(for PR comparisons) andreport_url(for SBOM views).Fix
Added
get_manifest_file_url()method that intelligently generates proper URLs based on SCM type:opt/buildagent/work/,home/runner/work/)GITHUB_SERVER_URL,CI_SERVER_URL,BITBUCKET_SERVER_URLUpdated
security_comment_template()method to:get_manifest_file_url()for both security alerts and license violationsdiff_urlfor PRs, fallback toreport_urlfor non-PR scansEnhanced infrastructure:
osmodule import for environment variable accessbase_pathparameter tocreate_full_scan()for better path handlingPublic Changelog
Fixed manifest file links in security comments to properly link to source code files in GitHub, GitLab, and Bitbucket repositories instead of Socket dashboard pages. Fixed "View full report" links to show appropriate content based on scan context.