Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

feat: Add SCM-aware manifest file URL generation and fix report links #119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dacoburn merged 1 commit into main from doug/fix-report-url-and-manifest-file-links
Sep 9, 2025

Conversation

@dacoburn
Copy link
Collaborator

@dacoburn dacoburn commented Sep 9, 2025

Bug Description:
Manifest files in security comments were incorrectly linking to Socket dashboard URLs (like https://socket.dev/dashboard/org/socketdev-demo/diff/06e956ff...) instead of proper SCM URLs (like https://github.com/socketdev-demo/javascript-threats/blob/main/package.json) when scm=github/gitlab/bitbucket. Additionally, "View full report" links were using the wrong URL type for different scan contexts.

Impact:

  • Users clicking on manifest file links were redirected to Socket's dashboard instead of the actual source code file in their repository
  • This broke the workflow for developers trying to quickly navigate to the problematic files
  • "View full report" links pointed to SBOM reports instead of diff reports in PR contexts

Root Cause

The Messages.security_comment_template() method was directly using alert.manifests as href URLs without any processing. The manifest paths contained build agent paths and weren't converted to proper SCM URLs based on the repository type. Additionally, the method was missing logic to generate SCM-specific URLs using repository configuration and environment variables.

The "View full report" link was hardcoded to use report_url instead of intelligently choosing between diff_url (for PR comparisons) and report_url (for SBOM views).

Fix

  1. Added get_manifest_file_url() method that intelligently generates proper URLs based on SCM type:

    • Cleans up manifest paths by removing build agent prefixes (opt/buildagent/work/, home/runner/work/)
    • Detects SCM type from config or diff URL (GitHub, GitLab, Bitbucket)
    • Constructs proper SCM URLs using repository info and environment variables
    • Supports custom servers via GITHUB_SERVER_URL, CI_SERVER_URL, BITBUCKET_SERVER_URL
    • Falls back to Socket file view for API mode

  2. Updated security_comment_template() method to:

    • Use get_manifest_file_url() for both security alerts and license violations
    • Accept config parameter for SCM type detection
    • Fix "View full report" logic to prioritize diff_url for PRs, fallback to report_url for non-PR scans

  3. Enhanced infrastructure:

    • Added os module import for environment variable access
    • Updated method signatures and type hints
    • Added base_path parameter to create_full_scan() for better path handling

Public Changelog

Fixed manifest file links in security comments to properly link to source code files in GitHub, GitLab, and Bitbucket repositories instead of Socket dashboard pages. Fixed "View full report" links to show appropriate content based on scan context.

 

- Add get_manifest_file_url() method with GitHub/GitLab/Bitbucket support
- Support environment variables for custom SCM servers (GitHub Enterprise, self-hosted GitLab, Bitbucket Server)
- Fix manifest file links in security comments to use proper SCM URLs instead of Socket dashboard URLs
- Fix 'View full report' links to use diff_url for PRs and report_url for non-PR scans
- Add base_path parameter to create_full_scan() for improved path handling
- Update socketdev dependency to >=3.0.5 for latest features
- Add os module import for environment variable access
- Update type hints for better code clarity
@dacoburn dacoburn requested a review from a team as a code owner September 9, 2025 17:50
@dacoburn dacoburn requested review from jhiesey and reberhardt7 and removed request for a team September 9, 2025 17:50
Copy link

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated socketdev@​3.0.0 ⏵ 3.0.5 99 +1100 100 100 100

View full report

Copy link

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated socketdev@​3.0.0 ⏵ 3.0.5 99 +1100 100 100 100

View full report

Copy link

github-actions bot commented Sep 9, 2025

🚀 Preview package published!

Install with:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.2.8.dev1

Docker image: socketdev/cli:pr-119

@dacoburn dacoburn merged commit 656a458 into main Sep 9, 2025
6 checks passed
@dacoburn dacoburn deleted the doug/fix-report-url-and-manifest-file-links branch September 9, 2025 18:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dachi-dev dachi-dev dachi-dev approved these changes

@jhiesey jhiesey Awaiting requested review from jhiesey jhiesey is a code owner automatically assigned from SocketDev/eng

@reberhardt7 reberhardt7 Awaiting requested review from reberhardt7 reberhardt7 is a code owner automatically assigned from SocketDev/eng

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AltStyle によって変換されたページ (->オリジナル) /