SocketDev
diff --git a/‎.github/workflows/python-tests.yml‎
Lines changed: 50 additions & 0 deletions b/‎.github/workflows/python-tests.yml‎
Lines changed: 50 additions & 0 deletions
diff --git a/‎.github/workflows/smoke-test.yml‎
Lines changed: 36 additions & 0 deletions b/‎.github/workflows/smoke-test.yml‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 3 additions & 2 deletions b/‎Dockerfile‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 8 additions & 7 deletions b/‎README.md‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎app_tests/Dockerfile‎
Lines changed: 9 additions & 3 deletions b/‎app_tests/Dockerfile‎
Lines changed: 9 additions & 3 deletions
diff --git a/‎docs/github-action.md‎
Lines changed: 20 additions & 20 deletions b/‎docs/github-action.md‎
Lines changed: 20 additions & 20 deletions
@@ -0,0 +1,50 @@
+name: python-tests
+
+env:
+  PYTHON_VERSION: "3.12"
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "socket_basics/**/*.py"
+      - "tests/**/*.py"
+      - "pyproject.toml"
+      - "uv.lock"
+      - ".github/workflows/python-tests.yml"
+  pull_request:
+    paths:
+      - "socket_basics/**/*.py"
+      - "tests/**/*.py"
+      - "pyproject.toml"
+      - "uv.lock"
+      - ".github/workflows/python-tests.yml"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: python-tests-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  python-tests:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 1
+          persist-credentials: false
+      - name: 🐍 setup python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: "pip"
+      - name: 🛠️ install deps
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+      - name: 🧪 run tests
+        run: pytest -q tests/
@@ -0,0 +1,36 @@
+name: smoke-test
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'Dockerfile'
+      - 'scripts/smoke-test-docker.sh'
+      - '.github/workflows/smoke-test.yml'
+  pull_request:
+    paths:
+      - 'Dockerfile'
+      - 'scripts/smoke-test-docker.sh'
+      - '.github/workflows/smoke-test.yml'
+  schedule:
+    - cron: '0 */12 * * *' # every 12 hours
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: smoke-test-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  smoke-test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    env:
+      DOCKER_BUILDKIT: "1"
+      SMOKE_TEST_BUILD_PROGRESS: plain
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: 🐳 smoke test
+        run: bash ./scripts/smoke-test-docker.sh --image-tag socket-basics:smoke-test
@@ -23,11 +23,12 @@ ARG TRIVY_VERSION=v0.69.2
 RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin "${TRIVY_VERSION}"
 
 # Install Trufflehog
-ARG TRUFFLEHOG_VERSION=v3.93.3
+ARG TRUFFLEHOG_VERSION=v3.93.6
 RUN curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin "${TRUFFLEHOG_VERSION}"
 
 # Install OpenGrep (connector/runtime dependency)
-RUN curl -fsSL https://raw.githubusercontent.com/opengrep/opengrep/main/install.sh | bash
+ARG OPENGREP_VERSION=v1.16.2
+RUN curl -fsSL https://raw.githubusercontent.com/opengrep/opengrep/main/install.sh | bash -s -- -v "${OPENGREP_VERSION}"
 
 # Copy the specific files needed for the project
 COPY socket_basics /socket-basics/socket_basics
 
@@ -33,7 +33,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Run Socket Basics
-        uses: SocketDev/socket-basics@1.1.1
+        uses: SocketDev/socket-basics@1.1.3
         env:
           GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
         with:
@@ -144,23 +144,24 @@ For GitHub Actions, see the [Quick Start](#-quick-start---github-actions) above
 
 ```bash
 # Build with version tag
-docker build -t socketdev/socket-basics:1.1.1 .
+docker build -t socketdev/socket-basics:1.1.3 .
 
 # Run scan
-docker run --rm -v "$PWD:/workspace" socketdev/socket-basics:1.1.1 \
+docker run --rm -v "$PWD:/workspace" socketdev/socket-basics:1.1.3 \
   --workspace /workspace \
   --python-sast-enabled \
   --secret-scanning-enabled \
   --console-tabular-enabled
 ```
 
-Tip: If you need specific Trivy or TruffleHog versions, you can override them at build time:
+Tip: If you need specific Trivy, TruffleHog, or OpenGrep versions, you can override them at build time:
 
 ```bash
 docker build \
-  --build-arg TRIVY_VERSION=v0.67.2 \
-  --build-arg TRUFFLEHOG_VERSION=v3.93.3 \
-  -t socketdev/socket-basics:1.1.1 .
+  --build-arg TRIVY_VERSION=v0.69.2 \
+  --build-arg TRUFFLEHOG_VERSION=v3.93.6 \
+  --build-arg OPENGREP_VERSION=v1.16.2 \
+  -t socketdev/socket-basics:1.1.3 .
 ```
 
 📖 **[View Docker Installation Guide](docs/local-install-docker.md)**
 
@@ -23,10 +23,16 @@ RUN apt-get update && \
 RUN curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh  | sh -s -- -b /usr/local/bin v2.21.4
 
 # Install Trivy
-RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.18.3
+ARG TRIVY_VERSION=v0.69.2
+RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin "${TRIVY_VERSION}"
 
 # Install Trufflehog
-RUN curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
+ARG TRUFFLEHOG_VERSION=v3.93.6
+RUN curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin "${TRUFFLEHOG_VERSION}"
+
+# Install OpenGrep (connector/runtime dependency)
+ARG OPENGREP_VERSION=v1.16.2
+RUN curl -fsSL https://raw.githubusercontent.com/opengrep/opengrep/main/install.sh | bash -s -- -v "${OPENGREP_VERSION}"
 
 # Install Bandit using uv as a tool
 RUN uv tool install bandit
@@ -50,7 +56,7 @@ COPY pyproject.toml uv.lock /scripts/
 # Install Python dependencies using uv
 WORKDIR /scripts
 RUN uv sync --frozen && uv pip install light-s3-client
-ENV PATH="/scripts/.venv/bin:$PATH"
+ENV PATH="/scripts/.venv/bin:/root/.opengrep/cli/latest:$PATH"
 
 # Define entrypoint
 ENTRYPOINT ["/socket-security-tools/entrypoint.sh"]
 
@@ -42,7 +42,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Run Socket Basics
-        uses: SocketDev/socket-basics@1.1.1
+        uses: SocketDev/socket-basics@1.1.3
         env:
           GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
         with:
@@ -77,7 +77,7 @@ Include these in your workflow's `jobs.<job_id>.permissions` section.
 
 **SAST (Static Analysis):**
 ```yaml
-- uses: SocketDev/socket-basics@1.1.1
+- uses: SocketDev/socket-basics@1.1.3
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     # Enable SAST for specific languages
@@ -91,7 +91,7 @@ Include these in your workflow's `jobs.<job_id>.permissions` section.
 
 **Secret Scanning:**
 ```yaml
-- uses: SocketDev/socket-basics@1.1.1
+- uses: SocketDev/socket-basics@1.1.3
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     secret_scanning_enabled: 'true'
@@ -103,7 +103,7 @@ Include these in your workflow's `jobs.<job_id>.permissions` section.
 
 **Container Scanning:**
 ```yaml
-- uses: SocketDev/socket-basics@1.1.1
+- uses: SocketDev/socket-basics@1.1.3
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     # Scan Docker images (auto-enables container scanning)
@@ -114,7 +114,7 @@ Include these in your workflow's `jobs.<job_id>.permissions` section.
 
 **Socket Tier 1 Reachability:**
 ```yaml
-- uses: SocketDev/socket-basics@1.1.1
+- uses: SocketDev/socket-basics@1.1.3
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     socket_tier_1_enabled: 'true'
@@ -123,7 +123,7 @@ Include these in your workflow's `jobs.<job_id>.permissions` section.
 ### Output Configuration
 
 ```yaml
-- uses: SocketDev/socket-basics@1.1.1
+- uses: SocketDev/socket-basics@1.1.3
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     python_sast_enabled: 'true'
@@ -159,7 +159,7 @@ Configure Socket Basics centrally from the [Socket Dashboard](https://socket.dev
 
 **Enable in workflow:**
 ```yaml
-- uses: SocketDev/socket-basics@1.1.1
+- uses: SocketDev/socket-basics@1.1.3
   env:
     GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
   with:
@@ -171,7 +171,7 @@ Configure Socket Basics centrally from the [Socket Dashboard](https://socket.dev
 
 > **Note:** You can also pass credentials using environment variables instead of the `with:` section:
 > ```yaml
-> - uses: SocketDev/socket-basics@1.1.1
+> - uses: SocketDev/socket-basics@1.1.3
 >   env:
 >     SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}
 >   with:
@@ -189,7 +189,7 @@ All notification integrations require Socket Enterprise.
 
 **Slack Notifications:**
 ```yaml
-- uses: SocketDev/socket-basics@1.1.1
+- uses: SocketDev/socket-basics@1.1.3
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     socket_org: ${{ secrets.SOCKET_ORG }}
@@ -201,7 +201,7 @@ All notification integrations require Socket Enterprise.
 
 **Jira Issue Creation:**
 ```yaml
-- uses: SocketDev/socket-basics@1.1.1
+- uses: SocketDev/socket-basics@1.1.3
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     socket_org: ${{ secrets.SOCKET_ORG }}
@@ -216,7 +216,7 @@ All notification integrations require Socket Enterprise.
 
 **Microsoft Teams:**
 ```yaml
-- uses: SocketDev/socket-basics@1.1.1
+- uses: SocketDev/socket-basics@1.1.3
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     socket_org: ${{ secrets.SOCKET_ORG }}
@@ -228,7 +228,7 @@ All notification integrations require Socket Enterprise.
 
 **Generic Webhook:**
 ```yaml
-- uses: SocketDev/socket-basics@1.1.1
+- uses: SocketDev/socket-basics@1.1.3
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     socket_org: ${{ secrets.SOCKET_ORG }}
@@ -240,7 +240,7 @@ All notification integrations require Socket Enterprise.
 
 **SIEM Integration:**
 ```yaml
-- uses: SocketDev/socket-basics@1.1.1
+- uses: SocketDev/socket-basics@1.1.3
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     socket_org: ${{ secrets.SOCKET_ORG }}
@@ -276,7 +276,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       
       - name: Run Socket Basics
-        uses: SocketDev/socket-basics@1.1.1
+        uses: SocketDev/socket-basics@1.1.3
         env:
           GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
         with:
@@ -322,7 +322,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       
       - name: Run Full Security Scan
-        uses: SocketDev/socket-basics@1.1.1
+        uses: SocketDev/socket-basics@1.1.3
         env:
           GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
         with:
@@ -373,10 +373,10 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       
       - name: Build Docker Image
-        run: docker build -t myapp:1.1.1:${{ github.sha }} .
+        run: docker build -t myapp:1.1.3:${{ github.sha }} .
       
       - name: Scan Container
-        uses: SocketDev/socket-basics@1.1.1
+        uses: SocketDev/socket-basics@1.1.3
         env:
           GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
         with:
@@ -439,7 +439,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Run Socket Basics
-        uses: SocketDev/socket-basics@1.1.1
+        uses: SocketDev/socket-basics@1.1.3
         env:
           GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
         with:
@@ -491,7 +491,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       
       - name: Run Socket Basics
-        uses: SocketDev/socket-basics@1.1.1
+        uses: SocketDev/socket-basics@1.1.3
         env:
           GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
         with:
@@ -584,7 +584,7 @@ env:
 ```yaml
 steps:
   - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - Must be first
-  - uses: SocketDev/socket-basics@1.1.1
+  - uses: SocketDev/socket-basics@1.1.3
 ```
 
 ### PR Comments Not Appearing