Various fixes for handling of target paths. (#933)

* Fix handling of target in reachability mode. Fix recursive inclusion of manifest files when target is a directory

* update Socket CLI to v1.1.34

Author: mtorp

CHANGELOG.md

@@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+
+## [1.1.34](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.33) - 2025-11-21
+
+### Fixed
+- The target path is now properly considered when conducting reachability analysis: `socket scan reach <target>` and `socket scan create --reach <target>`.
+- Fixed a bug where manifest files `<target>` were not included in a scan when the target was pointing to a directory.
+
 ## [1.1.33](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.33) - 2025-11-20
 
 ### Changed

package.json

@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "1.1.33",
+  "version": "1.1.34",
   "description": "CLI for Socket.dev",
   "homepage": "https://github.com/SocketDev/socket-cli",
   "license": "MIT AND OFL-1.1",

src/commands/scan/cmd-scan-create.mts

@@ -8,6 +8,7 @@ import { outputCreateNewScan } from './output-create-new-scan.mts'
 import { reachabilityFlags } from './reachability-flags.mts'
 import { suggestOrgSlug } from './suggest-org-slug.mts'
 import { suggestTarget } from './suggest_target.mts'
+import { validateReachabilityTarget } from './validate-reachability-target.mts'
 import constants, { REQUIREMENTS_TXT, SOCKET_JSON } from '../../constants.mts'
 import { commonFlags, outputFlags } from '../../flags.mts'
 import { checkCommandInput } from '../../utils/check-input.mts'
@@ -453,6 +454,16 @@ async function run(
     reachSkipCache ||
     reachDisableAnalysisSplitting
 
+  // Validate target constraints when --reach is enabled.
+  const reachTargetValidation = reach
+    ? await validateReachabilityTarget(targets, cwd)
+    : {
+        isDirectory: false,
+        isInsideCwd: false,
+        isValid: true,
+        targetExists: false,
+      }
+
   const wasValidInput = checkCommandInput(
     outputKind,
     {
@@ -496,6 +507,33 @@ async function run(
       message: 'Reachability analysis flags require --reach to be enabled',
       fail: 'add --reach flag to use --reach-* options',
     },
+    {
+      nook: true,
+      test: !reach || reachTargetValidation.isValid,
+      message:
+        'Reachability analysis requires exactly one target directory when --reach is enabled',
+      fail: 'provide exactly one directory path',
+    },
+    {
+      nook: true,
+      test: !reach || reachTargetValidation.isDirectory,
+      message:
+        'Reachability analysis target must be a directory when --reach is enabled',
+      fail: 'provide a directory path, not a file',
+    },
+    {
+      nook: true,
+      test: !reach || reachTargetValidation.targetExists,
+      message: 'Target directory must exist when --reach is enabled',
+      fail: 'provide an existing directory path',
+    },
+    {
+      nook: true,
+      test: !reach || reachTargetValidation.isInsideCwd,
+      message:
+        'Target directory must be inside the current working directory when --reach is enabled',
+      fail: 'provide a path inside the working directory',
+    },
   )
   if (!wasValidInput) {
     return

src/commands/scan/cmd-scan-create.test.mts

@@ -305,7 +305,7 @@ describe('socket scan create', async () => {
       'create',
       FLAG_ORG,
       'fakeOrg',
-      'target',
+      'test/fixtures/commands/scan/reach',
       FLAG_DRY_RUN,
       '--repo',
       'xyz',
@@ -370,7 +370,7 @@ describe('socket scan create', async () => {
       'create',
       FLAG_ORG,
       'fakeOrg',
-      'target',
+      'test/fixtures/commands/scan/reach',
       FLAG_DRY_RUN,
       '--repo',
       'xyz',
@@ -405,7 +405,7 @@ describe('socket scan create', async () => {
       'create',
       FLAG_ORG,
       'fakeOrg',
-      'target',
+      'test/fixtures/commands/scan/reach',
       FLAG_DRY_RUN,
       '--repo',
       'xyz',
@@ -434,7 +434,7 @@ describe('socket scan create', async () => {
       'create',
       FLAG_ORG,
       'fakeOrg',
-      'target',
+      'test/fixtures/commands/scan/reach',
       FLAG_DRY_RUN,
       '--repo',
       'xyz',
@@ -527,7 +527,7 @@ describe('socket scan create', async () => {
       'create',
       FLAG_ORG,
       'fakeOrg',
-      'target',
+      'test/fixtures/commands/scan/reach',
       FLAG_DRY_RUN,
       '--repo',
       'xyz',
@@ -595,7 +595,7 @@ describe('socket scan create', async () => {
       'create',
       FLAG_ORG,
       'fakeOrg',
-      'target',
+      'test/fixtures/commands/scan/reach',
       FLAG_DRY_RUN,
       '--repo',
       'xyz',
@@ -621,7 +621,7 @@ describe('socket scan create', async () => {
       'create',
       FLAG_ORG,
       'fakeOrg',
-      'target',
+      'test/fixtures/commands/scan/reach',
       FLAG_DRY_RUN,
       '--repo',
       'xyz',
@@ -647,7 +647,7 @@ describe('socket scan create', async () => {
       'create',
       FLAG_ORG,
       'fakeOrg',
-      'target',
+      'test/fixtures/commands/scan/reach',
       FLAG_DRY_RUN,
       '--repo',
       'xyz',
@@ -677,7 +677,7 @@ describe('socket scan create', async () => {
       'create',
       FLAG_ORG,
       'fakeOrg',
-      'target',
+      'test/fixtures/commands/scan/reach',
       FLAG_DRY_RUN,
       '--repo',
       'xyz',
@@ -710,7 +710,7 @@ describe('socket scan create', async () => {
       'create',
       FLAG_ORG,
       'fakeOrg',
-      'target',
+      'test/fixtures/commands/scan/reach',
       FLAG_DRY_RUN,
       '--repo',
       'xyz',
@@ -735,7 +735,7 @@ describe('socket scan create', async () => {
       'create',
       FLAG_ORG,
       'fakeOrg',
-      'target',
+      'test/fixtures/commands/scan/reach',
       FLAG_DRY_RUN,
       '--repo',
       'xyz',
@@ -760,7 +760,7 @@ describe('socket scan create', async () => {
       'create',
       FLAG_ORG,
       'fakeOrg',
-      'target',
+      'test/fixtures/commands/scan/reach',
       FLAG_DRY_RUN,
       '--repo',
       'xyz',
@@ -790,7 +790,7 @@ describe('socket scan create', async () => {
       'create',
       FLAG_ORG,
       'fakeOrg',
-      'target',
+      'test/fixtures/commands/scan/reach',
       FLAG_DRY_RUN,
       '--repo',
       'xyz',

src/commands/scan/cmd-scan-reach.mts

@@ -6,6 +6,7 @@ import { logger } from '@socketsecurity/registry/lib/logger'
 import { handleScanReach } from './handle-scan-reach.mts'
 import { reachabilityFlags } from './reachability-flags.mts'
 import { suggestTarget } from './suggest_target.mts'
+import { validateReachabilityTarget } from './validate-reachability-target.mts'
 import constants from '../../constants.mts'
 import { commonFlags, outputFlags } from '../../flags.mts'
 import { checkCommandInput } from '../../utils/check-input.mts'
@@ -156,7 +157,7 @@ async function run(
       : processCwd
 
   // Accept zero or more paths. Default to cwd() if none given.
-  let targets = cli.input || [cwd]
+  let targets = cli.input.length ? cli.input : [cwd]
 
   // Use suggestTarget if no targets specified and in interactive mode
   if (!targets.length && !dryRun && interactive) {
@@ -169,6 +170,9 @@ async function run(
 
   const outputKind = getOutputKind(json, markdown)
 
+  // Validate target constraints for reachability analysis.
+  const targetValidation = await validateReachabilityTarget(targets, cwd)
+
   const wasValidInput = checkCommandInput(
     outputKind,
     {
@@ -189,6 +193,30 @@ async function run(
       message: 'The json and markdown flags cannot be both set, pick one',
       fail: 'omit one',
     },
+    {
+      nook: true,
+      test: targetValidation.isValid,
+      message: 'Reachability analysis requires exactly one target directory',
+      fail: 'provide exactly one directory path',
+    },
+    {
+      nook: true,
+      test: targetValidation.isDirectory,
+      message: 'Reachability analysis target must be a directory',
+      fail: 'provide a directory path, not a file',
+    },
+    {
+      nook: true,
+      test: targetValidation.targetExists,
+      message: 'Target directory must exist',
+      fail: 'provide an existing directory path',
+    },
+    {
+      nook: true,
+      test: targetValidation.isInsideCwd,
+      message: 'Target directory must be inside the current working directory',
+      fail: 'provide a path inside the working directory',
+    },
   )
   if (!wasValidInput) {
     return

src/commands/scan/cmd-scan-reach.test.mts

@@ -779,7 +779,7 @@ describe('socket scan reach', async () => {
         const { code, stderr, stdout } = await spawnSocketCli(binCliPath, cmd)
         const output = stdout + stderr
         expect(output).toMatch(
-          /no eligible files|file.*dir.*must contain|not.*found/i,
+          /Target directory must exist|no eligible files|file.*dir.*must contain|not.*found/i,
         )
         expect(code).toBeGreaterThan(0)
       },

src/commands/scan/handle-create-new-scan.mts

@@ -173,6 +173,7 @@ export async function handleCreateNewScan({
       reachabilityOptions: reach,
       repoName,
       spinner,
+      target: targets[0]!,
     })
 
     spinner.stop()

src/commands/scan/handle-scan-reach.mts

@@ -73,6 +73,7 @@ export async function handleScanReach({
     packagePaths,
     reachabilityOptions,
     spinner,
+    target: targets[0]!,
     uploadManifests: true,
   })
 

src/commands/scan/perform-reachability-analysis.mts

@@ -33,6 +33,7 @@ export type ReachabilityAnalysisOptions = {
   reachabilityOptions: ReachabilityOptions
   repoName?: string | undefined
   spinner?: Spinner | undefined
+  target: string
   uploadManifests?: boolean | undefined
 }
 
@@ -52,9 +53,16 @@ export async function performReachabilityAnalysis(
     reachabilityOptions,
     repoName,
     spinner,
+    target,
     uploadManifests = true,
   } = { __proto__: null, ...options } as ReachabilityAnalysisOptions
 
+  // Determine the analysis target - make it relative to cwd if absolute.
+  let analysisTarget = target
+  if (path.isAbsolute(analysisTarget)) {
+    analysisTarget = path.relative(cwd, analysisTarget) || '.'
+  }
+
   // Check if user has enterprise plan for reachability analysis.
   const orgsCResult = await fetchOrganization()
   if (!orgsCResult.ok) {
@@ -137,7 +145,7 @@ export async function performReachabilityAnalysis(
   // Build Coana arguments.
   const coanaArgs = [
     'run',
-    cwd,
+    analysisTarget,
     '--output-dir',
     cwd,
     '--socket-mode',

src/commands/scan/validate-reachability-target.mts

@@ -0,0 +1,53 @@
+import { existsSync, promises as fs } from 'node:fs'
+import path from 'node:path'
+
+export type ReachabilityTargetValidation = {
+  isDirectory: boolean
+  isInsideCwd: boolean
+  isValid: boolean
+  targetExists: boolean
+}
+
+/**
+ * Validates that a target directory meets the requirements for reachability analysis.
+ *
+ * @param targets - Array of target paths to validate.
+ * @param cwd - Current working directory.
+ * @returns Validation result object with boolean flags.
+ */
+export async function validateReachabilityTarget(
+  targets: string[],
+  cwd: string,
+): Promise<ReachabilityTargetValidation> {
+  const result: ReachabilityTargetValidation = {
+    isDirectory: false,
+    isInsideCwd: false,
+    isValid: targets.length === 1,
+    targetExists: false,
+  }
+
+  if (!result.isValid || !targets[0]) {
+    return result
+  }
+
+  // Resolve cwd to absolute path to handle relative cwd values.
+  const absoluteCwd = path.resolve(cwd)
+
+  // Resolve target path to absolute for validation.
+  const targetPath = path.isAbsolute(targets[0])
+    ? targets[0]
+    : path.resolve(absoluteCwd, targets[0])
+
+  // Check if target is inside cwd.
+  const relativePath = path.relative(absoluteCwd, targetPath)
+  result.isInsideCwd =
+    !relativePath.startsWith('..') && !path.isAbsolute(relativePath)
+
+  result.targetExists = existsSync(targetPath)
+  if (result.targetExists) {
+    const targetStat = await fs.stat(targetPath)
+    result.isDirectory = targetStat.isDirectory()
+  }
+
+  return result
+}