Skip to content

Mucha/gitlab branch protection flag #163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jonathanStrange0 wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Mucha/gitlab branch protection flag #163

jonathanStrange0 wants to merge 9 commits into from
+337 −4

Conversation

@jonathanStrange0
Copy link
Contributor

@jonathanStrange0 jonathanStrange0 commented Feb 12, 2026

Adds --enable-commit-status flag to post a success/failed commit status to
GitLab after scan, enabling merge blocking on Socket findings:

  • set_commit_status() — posts commit status (socket-security-commit-status)
    with state, description, and optional report link
  • enable_merge_pipeline_check() — enables "pipelines must succeed" on the
    MR target project via API
  • --enable-commit-status CLI flag (default off) wired into main_code() to
    call both methods after scan
  • Prefers CI_MERGE_REQUEST_SOURCE_BRANCH_SHA over CI_COMMIT_SHA to handle
    merged-results pipelines
  • Includes 401 auth fallback (Bearer → PRIVATE-TOKEN) on both new endpoints
  • Unit tests covering payload shape, auth fallback, skip-when-no-MR, and
    graceful error handling
  • UAT doc with pass/fail/omitted/non-MR/API-failure/non-GitLab scenarios

Why?

GitLab users had no way to block MR merges based on Socket scan results.
The CLI exited non-zero on blocking alerts, but that only fails the
pipeline — it doesn't surface a named status check. With
--enable-commit-status, Socket posts a dedicated commit status that repo
admins can require on protected branches, giving explicit merge-gate
control tied to Socket findings without relying solely on pipeline
pass/fail.

Public Changelog

N/A

Jonathan Mucha and others added 9 commits February 12, 2026 12:19
added ability to prevent merges based on failed check run
6093eb5
updated json format for gitlab api call
af2f099
@claude
fix: use source branch SHA for commit status, log response body
76ed321 
CI_COMMIT_SHA may be synthetic in merged-results pipelines.
Prefer CI_MERGE_REQUEST_SOURCE_BRANCH_SHA when available.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude
fix: use context instead of name for commit status
bd54331 
GitLab rejects duplicate name field; context allows updates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude
fix: add ref and pipeline_id to commit status payload
fc08364 
GitLab uses (sha, name, ref) as unique key. Without ref,
re-runs fail with "name has already been taken".

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude
fix: drop pipeline_id from commit status payload
db6f093 
pipeline_id causes 404 when sha/ref don't match the pipeline.
ref alone is sufficient for uniqueness.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
renaming the commit status
8490466
@claude
Add enable_merge_pipeline_check() to enforce pipelines-must-succeed v…
dbaa989 
…ia API

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude
chore: update uv.lock version to 2.2.73
0cbb750 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jonathanStrange0 jonathanStrange0 requested a review from a team as a code owner February 12, 2026 17:52
@github-actions
Copy link

github-actions bot commented Feb 12, 2026

🚀 Preview package published!

Install with:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.2.73.dev1

Docker image: socketdev/cli:pr-163

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jonathanStrange0