Skip to content

Mucha dev fail on any block #149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jonathanStrange0 wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Mucha dev fail on any block #149

jonathanStrange0 wants to merge 4 commits into from

Conversation

@jonathanStrange0
Copy link

@jonathanStrange0 jonathanStrange0 commented Jan 15, 2026

Add --strict-blocking flag to fail on any existing security violations

Introduces a new --strict-blocking flag that causes builds to fail when ANY security policy violations with blocking severity exist, not just new ones introduced in the current changes. This enables organizations to enforce zero-tolerance security policies across their entire codebase.

Key Features:

  • ✅ Fails on both NEW and EXISTING blocking violations (not just new ones)
  • 🔒 Only affects error-level alerts (blocking severity), not warnings
  • 🎯 Works in diff mode with full SCM integration
  • 📊 Enhanced console output distinguishes NEW vs EXISTING violations
  • ⚙️ --disable-blocking takes precedence when both flags are set

Usage:

socketcli --scm gitlab --pr-number 123 --strict-blocking

Example Output:
Security issues detected by Socket Security:
  - NEW blocking issues: 2
  - EXISTING blocking issues: 5 (causing failure due to --strict-blocking)

Why?

Current Limitation

The Socket CLI currently only fails builds when new security violations are introduced. Existing violations in the codebase are ignored, which means:
- Teams can accumulate technical security debt over time
- Protected branches may contain unresolved vulnerabilities
- No enforcement mechanism for gradual security improvement
- Difficult to implement zero-tolerance security policies

Use Cases Enabled by This Feature

1. Zero-Tolerance Security Policies
Organizations with strict security requirements can enforce that NO violations exist at any time. This is especially important for:
- Financial services and healthcare applications
- Government and defense contractors
- PCI-DSS, HIPAA, or SOC2 compliant systems
- Production/main branch protection

2. Gradual Security Improvement
Teams can use --strict-blocking alongside standard scans to:
- Block new violations immediately (standard behavior)
- Monitor existing violations with warnings (strict scan with allow_failure: true)
- Gradually resolve legacy issues
- Eventually enforce strict blocking (set allow_failure: false)

3. Protected Branch Enforcement
Require all security violations to be resolved before merging to critical branches:
rules:
  - if: $CI_COMMIT_BRANCH == "main"
    # Only main branch requires strict blocking

4. Scheduled Security Audits
Run periodic scans that fail if any violations accumulate over time, ensuring continuous security posture monitoring.

Benefits

- Prevents Security Debt: Stops violations from accumulating in the codebase
- Clear Visibility: Console output explicitly shows NEW vs EXISTING issues
- Flexible Adoption: Can be phased in gradually with allow_failure configuration
- Backwards Compatible: Existing workflows continue to work unchanged
- Well-Documented: Comprehensive README section and GitLab CI examples included

Implementation Highlights

- Added unchanged_alerts and removed_alerts fields to Diff class
- Created get_unchanged_alerts() method to extract alerts from unchanged packages
- Updated report_pass() exit code logic to check both new and unchanged alerts when enabled
- Enhanced output_console_comments() to distinguish violation sources in console output
- Added validation warnings for conflicting flags and API mode limitations
- Comprehensive test coverage: 15+ new unit tests across 3 test files

Related Documentation

- Full usage guide in README (new "Strict Blocking Mode" section)
- GitLab CI examples available (can be added in separate PR if needed)
- Migration strategy guidance included

Public Changelog

New Feature: --strict-blocking Flag

Added a new --strict-blocking flag that enforces zero-tolerance security policies by failing builds when ANY security violations with blocking severity exist, not just new ones.

What's New:
- Fail builds on both NEW and EXISTING blocking violations
- Enhanced console output showing "NEW blocking issues" vs "EXISTING blocking issues"
- Works in diff mode with full GitLab, GitHub, Bitbucket, and Azure DevOps integration
- Only affects error-level alerts (blocking severity), not warnings

Usage Example:
socketcli --scm gitlab --pr-number 123 --strict-blocking

Use Cases:
- Enforce zero-tolerance security policies for critical branches
- Prevent security debt accumulation over time
- Gradually improve security posture with phased adoption
- Meet compliance requirements (PCI-DSS, HIPAA, SOC2)

Important Notes:
- Only works in diff mode (requires baseline scan for comparison)
- --disable-blocking flag takes precedence if both are set
- See README for complete documentation and migration strategies

Jonathan Mucha and others added 4 commits January 15, 2026 11:04
@claude
feat: add --strict-blocking flag to fail on any existing security vio…
6f2d64a 
…lations

Introduces a new --strict-blocking flag that causes builds to fail on ANY
security policy violations with blocking severity, not just new ones. This
enables enforcement of a zero-tolerance policy on security issues.

Key features:
- Works in diff mode only (logs warning in API mode)
- Only fails on error-level alerts (not warnings)
- --disable-blocking takes precedence when both flags are set
- Enhanced console output distinguishes NEW vs EXISTING violations
- Comprehensive test coverage for all scenarios

Implementation details:
- Added unchanged_alerts and removed_alerts fields to Diff class
- Created get_unchanged_alerts() method to extract alerts from unchanged packages
- Updated report_pass() to check both new and unchanged alerts when enabled
- Added validation warnings for conflicting flags and API mode limitations

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@claude
chore: update uv.lock with version 2.2.63
ff33725 
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@claude
docs: add --strict-blocking flag documentation to README
f2f3c3b 
Added comprehensive documentation for the new --strict-blocking feature:

- Added flag to Advanced Configuration parameters table
- Created dedicated "Strict Blocking Mode" section with:
  - Behavior comparison (standard vs strict)
  - Usage examples for different CI/CD platforms
  - Output examples showing NEW vs EXISTING violations
  - Common use cases and implementation strategies
  - Important notes about limitations and flag priority
  - Flag combination examples
  - Migration strategy guidance
  - Links to GitLab CI example files

The documentation clearly explains:
- Zero-tolerance security policy enforcement
- Diff mode requirement
- Error-level filtering (not warnings)
- --disable-blocking precedence
- First scan behavior

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@claude
chore: bump version to 2.3.1 for --strict-blocking feature
a71530f 
Bumped version from 2.2.63 to 2.3.1 following semantic versioning
(minor version bump for new feature).

This version number avoids conflict with the mucha-dev-gitlab-security-output
branch which uses 2.3.0 for the GitLab Security Dashboard feature.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@jonathanStrange0 jonathanStrange0 requested a review from a team as a code owner January 15, 2026 17:15
@github-actions
Copy link

github-actions bot commented Jan 15, 2026

Version Check Failed

Please increment...

@github-actions
Copy link

github-actions bot commented Jan 15, 2026

🚀 Preview package published!

Install with:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.2.63.dev4

Docker image: socketdev/cli:pr-149

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonathanStrange0