Resolve merge conflicts

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Author: lelia

.github/workflows/docker-stable.yml

@@ -6,39 +6,46 @@ on:
         description: 'Version to mark as stable (e.g., 1.2.3)'
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   stable:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
 
       - name: Check if version exists in PyPI
         id: version_check
+        env:
+          INPUT_VERSION: ${{ inputs.version }}
         run: |
-          if ! curl -s -f https://pypi.org/pypi/socketsecurity/${{ inputs.version }}/json > /dev/null; then
-            echo "Error: Version ${{ inputs.version }} not found on PyPI"
+          if ! curl -s -f "https://pypi.org/pypi/socketsecurity/${INPUT_VERSION}/json" > /dev/null; then
+            echo "Error: Version ${INPUT_VERSION} not found on PyPI"
             exit 1
           fi
-          echo "Version ${{ inputs.version }} found on PyPI - proceeding with release"
+          echo "Version ${INPUT_VERSION} found on PyPI - proceeding with release"
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Login to Docker Hub with Organization Token
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build & Push Stable Docker
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
         with:
           push: true
           platforms: linux/amd64,linux/arm64
           tags: socketdev/cli:stable
           build-args: |
             CLI_VERSION=${{ inputs.version }}
-            
+            

.github/workflows/e2e-test.yml

@@ -4,14 +4,20 @@ on:
   push:
     branches: [main]
   pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
   e2e-scan:
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
         with:
@@ -48,11 +54,13 @@ jobs:
           fi
 
   e2e-sarif:
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
         with:
@@ -87,11 +95,13 @@ jobs:
           "
 
   e2e-reachability:
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
         with:

.github/workflows/pr-preview.yml

@@ -5,6 +5,7 @@ on:
 
 jobs:
   preview:
+    if: github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -14,6 +15,7 @@ jobs:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
         with:
           python-version: '3.13'

.github/workflows/python-tests.yml

@@ -50,3 +50,23 @@ jobs:
           uv sync --extra test
       - name: 🧪 run tests
         run: uv run pytest -q tests/unit/ tests/core/
+
+  unsupported-python-install:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+        with:
+          fetch-depth: 1
+          persist-credentials: false
+      - name: 🐍 setup python
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
+        with:
+          python-version: "3.10"
+      - name: 🚫 verify install is rejected on unsupported python
+        run: |
+          python -m pip install --upgrade pip
+          if pip install .; then
+            echo "Expected pip install . to fail on Python 3.10"
+            exit 1
+          fi

.github/workflows/release.yml

@@ -13,6 +13,7 @@ jobs:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
         with:
           python-version: '3.13'
@@ -26,11 +27,13 @@ jobs:
           
       - name: Get Version
         id: version
+        env:
+          REF_NAME: ${{ github.ref_name }}
         run: |
           RAW_VERSION=$(hatch version)
           echo "VERSION=$RAW_VERSION" >> $GITHUB_ENV
-          if [ "v$RAW_VERSION" != "${{ github.ref_name }}" ]; then
-            echo "Error: Git tag (${{ github.ref_name }}) does not match hatch version (v$RAW_VERSION)"
+          if [ "v$RAW_VERSION" != "$REF_NAME" ]; then
+            echo "Error: Git tag ($REF_NAME) does not match hatch version (v$RAW_VERSION)"
             exit 1
           fi
 
@@ -52,7 +55,7 @@ jobs:
         env:
           VERSION: ${{ env.VERSION }}
         run: |
-          if curl -s -f "https://hub.docker.com/v2/repositories/socketdev/cli/tags/${{ env.VERSION }}" > /dev/null; then
+          if curl -s -f "https://hub.docker.com/v2/repositories/socketdev/cli/tags/${VERSION}" > /dev/null; then
             echo "Docker image socketdev/cli:${VERSION} already exists"
             echo "docker_exists=true" >> $GITHUB_OUTPUT
           else
@@ -113,4 +116,4 @@ jobs:
             socketdev/cli:latest
             socketdev/cli:${{ env.VERSION }}
           build-args: |
-            CLI_VERSION=${{ env.VERSION }}
+            CLI_VERSION=${{ env.VERSION }}

.github/workflows/version-check.yml

@@ -7,13 +7,19 @@ on:
       - 'setup.py'
       - 'pyproject.toml'
 
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
 jobs:
   check_version:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
         with:
           fetch-depth: 0  # Fetch all history for all branches
+          persist-credentials: false
 
       - name: Check version increment
         id: version_check
@@ -42,7 +48,7 @@ jobs:
 
       - name: Manage PR Comment
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
-        if: always()
+        if: always() && github.event.pull_request.head.repo.full_name == github.repository
         env:
           MAIN_VERSION: ${{ env.MAIN_VERSION }}
           PR_VERSION: ${{ env.PR_VERSION }}

.github/zizmor.yml

@@ -0,0 +1,3 @@
+rules:
+  secrets-outside-env:
+    disable: true

README.md

@@ -2,7 +2,7 @@
 
 Socket Python CLI for Socket scans, diff reporting, reachability analysis, and SARIF/GitLab exports.
 
-Comprehensive docs are available in [`docs/`](docs/) for full flag reference, CI/CD-specific guidance, and contributor setup.
+Comprehensive docs are available in [`docs/`](https://github.com/SocketDev/socket-python-cli/tree/main/docs) for full flag reference, CI/CD-specific guidance, and contributor setup.
 
 ## Quick start
 
@@ -27,8 +27,8 @@ socketcli --target-path .
 ## Common use cases
 
 This section covers the paved path/common workflows.
-For advanced options and exhaustive details, see [`docs/cli-reference.md`](docs/cli-reference.md).
-For CI/CD-specific guidance, see [`docs/ci-cd.md`](docs/ci-cd.md).
+For advanced options and exhaustive details, see [`docs/cli-reference.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/cli-reference.md).
+For CI/CD-specific guidance, see [`docs/ci-cd.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/ci-cd.md).
 
 ### Basic policy scan (no SARIF)
 
@@ -91,7 +91,7 @@ socketcli \
 Dashboard parity note:
 - Full-scope SARIF is the closest match for dashboard-style filtering.
 - Exact result counts can still differ from the dashboard due to backend/API consolidation differences and grouping semantics.
-- See [`docs/troubleshooting.md#dashboard-vs-cli-result-counts`](docs/troubleshooting.md#dashboard-vs-cli-result-counts).
+- See [`docs/troubleshooting.md#dashboard-vs-cli-result-counts`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/troubleshooting.md#dashboard-vs-cli-result-counts).
 
 ## Config files (`--config`)
 
@@ -137,23 +137,23 @@ socketcli --config .socketcli.toml --target-path .
 Reference sample configs:
 
 TOML:
-- [`examples/config/sarif-dashboard-parity.toml`](examples/config/sarif-dashboard-parity.toml)
-- [`examples/config/sarif-instance-detail.toml`](examples/config/sarif-instance-detail.toml)
-- [`examples/config/sarif-diff-ci-cd.toml`](examples/config/sarif-diff-ci-cd.toml)
+- [`examples/config/sarif-dashboard-parity.toml`](https://github.com/SocketDev/socket-python-cli/blob/main/examples/config/sarif-dashboard-parity.toml)
+- [`examples/config/sarif-instance-detail.toml`](https://github.com/SocketDev/socket-python-cli/blob/main/examples/config/sarif-instance-detail.toml)
+- [`examples/config/sarif-diff-ci-cd.toml`](https://github.com/SocketDev/socket-python-cli/blob/main/examples/config/sarif-diff-ci-cd.toml)
 
 JSON:
-- [`examples/config/sarif-dashboard-parity.json`](examples/config/sarif-dashboard-parity.json)
-- [`examples/config/sarif-instance-detail.json`](examples/config/sarif-instance-detail.json)
-- [`examples/config/sarif-diff-ci-cd.json`](examples/config/sarif-diff-ci-cd.json)
+- [`examples/config/sarif-dashboard-parity.json`](https://github.com/SocketDev/socket-python-cli/blob/main/examples/config/sarif-dashboard-parity.json)
+- [`examples/config/sarif-instance-detail.json`](https://github.com/SocketDev/socket-python-cli/blob/main/examples/config/sarif-instance-detail.json)
+- [`examples/config/sarif-diff-ci-cd.json`](https://github.com/SocketDev/socket-python-cli/blob/main/examples/config/sarif-diff-ci-cd.json)
 
 ## CI/CD examples
 
 Prebuilt workflow examples:
 
-- [GitHub Actions](workflows/github-actions.yml)
-- [Buildkite](workflows/buildkite.yml)
-- [GitLab CI](workflows/gitlab-ci.yml)
-- [Bitbucket Pipelines](workflows/bitbucket-pipelines.yml)
+- [GitHub Actions](https://github.com/SocketDev/socket-python-cli/blob/main/workflows/github-actions.yml)
+- [Buildkite](https://github.com/SocketDev/socket-python-cli/blob/main/workflows/buildkite.yml)
+- [GitLab CI](https://github.com/SocketDev/socket-python-cli/blob/main/workflows/gitlab-ci.yml)
+- [Bitbucket Pipelines](https://github.com/SocketDev/socket-python-cli/blob/main/workflows/bitbucket-pipelines.yml)
 
 Minimal pattern:
 
@@ -166,7 +166,7 @@ Minimal pattern:
 
 ## Common gotchas
 
-See [`docs/troubleshooting.md`](docs/troubleshooting.md#common-gotchas).
+See [`docs/troubleshooting.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/troubleshooting.md#common-gotchas).
 
 ## Quick verification checks
 
@@ -187,7 +187,7 @@ jq '.runs[0].results | length' sarif-diff-reachable.sarif
 
 ## Documentation reference
 
-- Full CLI reference: [`docs/cli-reference.md`](docs/cli-reference.md)
-- CI/CD guide: [`docs/ci-cd.md`](docs/ci-cd.md)
-- Troubleshooting guide: [`docs/troubleshooting.md`](docs/troubleshooting.md)
-- Development guide: [`docs/development.md`](docs/development.md)
+- Full CLI reference: [`docs/cli-reference.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/cli-reference.md)
+- CI/CD guide: [`docs/ci-cd.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/ci-cd.md)
+- Troubleshooting guide: [`docs/troubleshooting.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/troubleshooting.md)
+- Development guide: [`docs/development.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/development.md)

pyproject.toml

@@ -6,8 +6,8 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.2.79"
-requires-python = ">= 3.10"
+version = "2.2.80"
+requires-python = ">= 3.11"
 license = {"file" = "LICENSE"}
 dependencies = [
     'requests',
@@ -166,4 +166,3 @@ include = ["socketsecurity", "LICENSE"]
 dev = [
     "pre-commit>=4.3.0",
 ]
-

socketsecurity/__init__.py

@@ -1,3 +1,3 @@
 __author__ = 'socket.dev'
-__version__ = '2.2.79'
+__version__ = '2.2.80'
 USER_AGENT = f'SocketPythonCLI/{__version__}'