Skip to content

Fix GitLab security report schema compliance + full scan alert population#182

Open
lelia wants to merge 6 commits intomainfrom
lelia/fix-gitlab-scan-issues
Open

Fix GitLab security report schema compliance + full scan alert population#182
lelia wants to merge 6 commits intomainfrom
lelia/fix-gitlab-scan-issues

Conversation

@lelia
Copy link
Copy Markdown
Contributor

@lelia lelia commented Apr 8, 2026
edited
Loading

Summary

  • Fix GitLab Dependency Scanning report (gl-dependency-scanning-report.json) failing schema validation
  • Populate vulnerability data in the report when running full scans (non-diff mode)

Changes

Security report schema fixes

  • Changed start_time/end_time from datetime.utcnow().isoformat() + "Z" (includes microseconds) to strftime("%Y-%m-%dT%H:%M:%S") matching the v15.0.0 schema pattern
  • Added the required root-level dependency_files array, populated from alert manifest file locations with package manager mapping
  • Fixed datetime.utcnow() deprecation warning by switching to datetime.now(timezone.utc)

Full scan alert population

  • create_full_scan_with_report_url() now fetches SBOM data and extracts alerts into diff.new_alerts so GitLab/JSON/SARIF output formats have vulnerability data
  • Gated behind enable_gitlab_security || enable_json || enable_sarif flags - no performance impact for users not using these output formats

CLI documentation

  • Added schema version compatibility note (v15.0.0 targeting, cross-version support)
  • Added performance note for full scan alert fetching
  • Updated troubleshooting for full scan empty vulnerabilities

E2E testing

  • Consolidated all e2e CI checks into a single matrix workflow for easier troubleshooting
  • Expanded e2e test coverage to include GitLab schema checks and other output forms

Testing steps

  • Existing 116 unit tests pass (including 5 new GitLab format tests)
  • Validate with PR preview Docker image against a GitLab CI pipeline
  • Verify gl-dependency-scanning-report.json passes GitLab schema validation
  • Confirm full scan with --enable-gitlab-security produces non-empty vulnerabilities array
  • Confirm scan without output flags has no additional API calls (no performance regression)

lelia added 3 commits April 8, 2026 18:13
@lelia
Bump incremental version
ced11ae 
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
@lelia
Fix gitlab security report schema validation errors
4020285 
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
@lelia
Populate gitlab security report with alerts for full scans
5430d3f 
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
@lelia lelia requested a review from a team as a code owner April 8, 2026 22:21
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 8, 2026
edited
Loading

🚀 Preview package published!

Install with:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.2.81.dev5

Docker image: socketdev/cli:pr-182

lelia added 3 commits April 8, 2026 18:45
@lelia
Skip license-metadata API call when fetching full scan alerts
abf416d 
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
@lelia
Consolidate e2e test workflows, add additional coverage
227e73b 
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
@lelia
Strip logger timestamp prefix to fix e2e test
8159f3a 
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
@lelia lelia requested a review from dc-larsen April 8, 2026 23:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dc-larsen dc-larsen Awaiting requested review from dc-larsen

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lelia