Skip to content

Commit 32446f9

Browse files
authored
refactor(reachability): use full names instead of "tier 1/2/3" + bump Coana CLI to 15.5.7 (#1376)
* refactor(reachability): use descriptive names instead of tier 1/2/3 Refer to the reachability analysis types by descriptive names in all user-facing text (command/flag help, output, error messages, log messages, comments, and docs): - Full application reachability (formerly Tier 1) - Precomputed reachability (formerly Tier 2) - Dependency reachability (formerly Tier 3) Backend wire contracts are unchanged: the scan_type value, the tier1-reachability-scan/finalize endpoint, request/response field names, and code identifiers retain their existing names. Only human-readable text is updated. A new Reachability analysis section in the README documents the names and notes the previous Tier 1/2/3 naming for users migrating. * refactor(reachability): apply descriptive names to merged changes and update tests Rename the 'tier 1' wording introduced by the --reach-retain-facts-file flag (merged from v1.x) to 'full application reachability', and update the reachability test snapshots and assertions to match the descriptive naming. * chore(deps): bump @coana-tech/cli to 15.5.7 (1.1.126) Pin @coana-tech/cli to the latest published 15.5.7 and bump the CLI patch version with a matching changelog entry. * docs: drop redundant tier-naming note from README The 'formerly Tier 1/2/3' mapping is already inline on each reachability type, so the trailing note is redundant.
1 parent 65ac25b commit 32446f9

17 files changed

Lines changed: 74 additions & 55 deletions

CHANGELOG.md

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
44

55
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
66

7+
## [1.1.126](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.126) - 2026-06-22
8+
9+
### Changed
10+
- Reachability analysis types are now referred to by descriptive names in command help, output, and docs: Full application reachability (formerly Tier 1), Precomputed reachability (formerly Tier 2), and Dependency reachability (formerly Tier 3).
11+
- Updated the Coana CLI to v `15.5.7`.
12+
713
## [1.1.125](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.125) - 2026-06-22
814

915
### Added
@@ -14,7 +20,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
1420

1521
## [1.1.124](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.124) - 2026-06-19
1622

17-
- `socket scan create --reach` accepts a new `--reach-retain-facts-file` flag. By default the CLI deletes the `.socket.facts.json` reachability report from the scan directory after a successful scan; pass this flag to keep it (e.g. for inspection or debugging). **Important:** you must delete the retained `.socket.facts.json` before running a fresh tier 1 reachability scan — a stale file left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable.
23+
- `socket scan create --reach` accepts a new `--reach-retain-facts-file` flag. By default the CLI deletes the `.socket.facts.json` reachability report from the scan directory after a successful scan; pass this flag to keep it (e.g. for inspection or debugging). **Important:** you must delete the retained `.socket.facts.json` before running a fresh full application reachability scan — a stale file left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable.
1824

1925
### Changed
2026
- Updated the Coana CLI to v `15.5.4`.

README.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,14 @@ All aliases support the flags and arguments of the commands they alias.
6060

6161
- `socket ci` - Alias for `socket scan create --report` (creates report and exits with error if unhealthy)
6262

63+
## Reachability analysis
64+
65+
Socket reachability analysis comes in three forms:
66+
67+
- **Full application reachability** (formerly Tier 1): Analyzes your application together with its dependencies to determine whether vulnerable code is actually invoked from your code through the full dependency graph — the highest-precision reachability analysis. Run it with `socket scan create --reach`.
68+
- **Precomputed reachability** (formerly Tier 2): Determines whether vulnerable code in transitive dependencies is reachable through your direct dependencies, using precomputed static analysis of dependency chains (no access to your application code required). In the CLI this is the fallback used when full application reachability cannot complete (see the `--reach-continue-on-*` flags).
69+
- **Dependency reachability** (formerly Tier 3): Package-level filtering that detects which dependencies are actually used, so CVEs in unused/dead dependencies can be filtered out.
70+
6371
## Flags
6472

6573
### Output flags

package.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "socket",
3-
"version": "1.1.125",
3+
"version": "1.1.126",
44
"description": "CLI for Socket.dev",
55
"homepage": "https://github.com/SocketDev/socket-cli",
66
"license": "MIT",
@@ -96,7 +96,7 @@
9696
"@babel/preset-typescript": "7.27.1",
9797
"@babel/runtime": "7.28.4",
9898
"@biomejs/biome": "2.2.4",
99-
"@coana-tech/cli": "15.5.5",
99+
"@coana-tech/cli": "15.5.7",
100100
"@cyclonedx/cdxgen": "12.1.2",
101101
"@dotenvx/dotenvx": "1.49.0",
102102
"@eslint/compat": "1.3.2",

pnpm-lock.yaml

Lines changed: 5 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

src/commands/scan/cmd-scan-create.mts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -116,7 +116,7 @@ const generalFlags: MeowFlags = {
116116
reach: {
117117
type: 'boolean',
118118
default: false,
119-
description: 'Run tier 1 full application reachability analysis',
119+
description: 'Run full application reachability analysis',
120120
},
121121
readOnly: {
122122
type: 'boolean',

src/commands/scan/cmd-scan-create.test.mts

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -40,13 +40,13 @@ describe('socket scan create', async () => {
4040
--committers Committers
4141
--cwd working directory, defaults to process.cwd()
4242
--default-branch Set the default branch of the repository to the branch of this full-scan. Should only need to be done once, for example for the "main" or "master" branch.
43-
--exclude-paths List of glob patterns to exclude from the scan, including SCA/SBOM manifest discovery and (when --reach is enabled) Tier 1 reachability analysis. Patterns are anchored micromatch globs matched relative to the Socket scan root, which is the command working directory (\`--cwd\` if set), not the reachability target: \`tests\` matches only \`<cwd>/tests\`; use \`**/tests\` to match at any depth. Negation patterns (\`!path\`) are not supported. Accepts a comma-separated value or multiple flags.
43+
--exclude-paths List of glob patterns to exclude from the scan, including SCA/SBOM manifest discovery and (when --reach is enabled) full application reachability analysis. Patterns are anchored micromatch globs matched relative to the Socket scan root, which is the command working directory (\`--cwd\` if set), not the reachability target: \`tests\` matches only \`<cwd>/tests\`; use \`**/tests\` to match at any depth. Negation patterns (\`!path\`) are not supported. Accepts a comma-separated value or multiple flags.
4444
--interactive Allow for interactive elements, asking for input. Use --no-interactive to prevent any input questions, defaulting them to cancel/no.
4545
--json Output as JSON
4646
--markdown Output as Markdown
4747
--org Force override the organization slug, overrides the default org from config
4848
--pull-request Pull request number
49-
--reach Run tier 1 full application reachability analysis
49+
--reach Run full application reachability analysis
5050
--read-only Similar to --dry-run except it can read from remote, stops before it would create an actual report
5151
--repo Repository name
5252
--report Wait for the scan creation to complete, then basically run \`socket scan report\` on it
@@ -59,8 +59,8 @@ describe('socket scan create', async () => {
5959
--reach-analysis-memory-limit The maximum memory for the reachability analysis as a whole number optionally followed by MB or GB (e.g. 512MB, 8GB). The default is 8GB.
6060
--reach-analysis-timeout Set the timeout for the reachability analysis as a whole number optionally followed by s, m or h (e.g. 90s, 10m, 1h). Defaults to 10m. Split analysis runs may cause the total scan time to exceed this timeout significantly.
6161
--reach-concurrency Set the maximum number of concurrent reachability analysis runs. It is recommended to choose a concurrency level that ensures each analysis run has at least the --reach-analysis-memory-limit amount of memory available.
62-
--reach-continue-on-analysis-errors Continue reachability analysis when errors occur (timeouts, OOM, parse errors, etc.), falling back to precomputed (Tier 2) results. By default, the CLI halts on analysis errors.
63-
--reach-continue-on-install-errors Continue reachability analysis when package installation fails, falling back to precomputed (Tier 2) results. By default, the CLI halts on installation errors.
62+
--reach-continue-on-analysis-errors Continue reachability analysis when errors occur (timeouts, OOM, parse errors, etc.), falling back to precomputed reachability results. By default, the CLI halts on analysis errors.
63+
--reach-continue-on-install-errors Continue reachability analysis when package installation fails, falling back to precomputed reachability results. By default, the CLI halts on installation errors.
6464
--reach-continue-on-missing-lock-files Continue reachability analysis when a Gradle or SBT project is missing its lock file (or version catalog / pre-generated SBOM). By default, the CLI halts.
6565
--reach-continue-on-no-source-files Continue reachability analysis when a workspace contains no source files for its ecosystem. By default, the CLI halts.
6666
--reach-debug Enable debug mode for reachability analysis. Provides verbose logging from the reachability CLI.
@@ -69,7 +69,7 @@ describe('socket scan create', async () => {
6969
--reach-disable-external-tool-checks Disable external tool checks during reachability analysis.
7070
--reach-ecosystems List of ecosystems to conduct reachability analysis on, as either a comma separated value or as multiple flags. Defaults to all ecosystems.
7171
--reach-enable-analysis-splitting Allow the reachability analysis to partition CVEs into buckets that are processed in separate analysis runs. May improve accuracy, but not recommended by default.
72-
--reach-retain-facts-file Keep the \`.socket.facts.json\` reachability report that the analysis writes to the scan directory instead of deleting it after a successful scan. IMPORTANT: you must delete this file before running a fresh tier 1 reachability scan. A stale \`.socket.facts.json\` left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable.
72+
--reach-retain-facts-file Keep the \`.socket.facts.json\` reachability report that the analysis writes to the scan directory instead of deleting it after a successful scan. IMPORTANT: you must delete this file before running a fresh full application reachability scan. A stale \`.socket.facts.json\` left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable.
7373
--reach-skip-cache Skip caching-based optimizations. By default, the reachability analysis will use cached configurations from previous runs to speed up the analysis.
7474
--reach-use-only-pregenerated-sboms When using this option, the scan is created based only on pre-generated CDX and SPDX files in your project.
7575
--reach-version Override the version of @coana-tech/cli used for reachability analysis. Default: <coana-version>.

src/commands/scan/cmd-scan-reach.mts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ import type {
3131

3232
export const CMD_NAME = 'reach'
3333

34-
const description = 'Compute tier 1 reachability'
34+
const description = 'Compute full application reachability'
3535

3636
const hidden = true
3737

src/commands/scan/cmd-scan-reach.test.mts

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ describe('socket scan reach', async () => {
2020
async cmd => {
2121
const { code, stderr, stdout } = await spawnSocketCli(binCliPath, cmd)
2222
expect(stdout).toMatchInlineSnapshot(`
23-
"Compute tier 1 reachability
23+
"Compute full application reachability
2424
2525
Usage
2626
$ socket scan reach [options] [CWD=.]
@@ -37,12 +37,12 @@ describe('socket scan reach', async () => {
3737
--output Path to write the reachability report to (must end with .json). Defaults to .socket.facts.json in the current working directory.
3838
3939
Reachability Options
40-
--exclude-paths List of glob patterns to exclude from the scan, including SCA/SBOM manifest discovery and (when --reach is enabled) Tier 1 reachability analysis. Patterns are anchored micromatch globs matched relative to the Socket scan root, which is the command working directory (\`--cwd\` if set), not the reachability target: \`tests\` matches only \`<cwd>/tests\`; use \`**/tests\` to match at any depth. Negation patterns (\`!path\`) are not supported. Accepts a comma-separated value or multiple flags.
40+
--exclude-paths List of glob patterns to exclude from the scan, including SCA/SBOM manifest discovery and (when --reach is enabled) full application reachability analysis. Patterns are anchored micromatch globs matched relative to the Socket scan root, which is the command working directory (\`--cwd\` if set), not the reachability target: \`tests\` matches only \`<cwd>/tests\`; use \`**/tests\` to match at any depth. Negation patterns (\`!path\`) are not supported. Accepts a comma-separated value or multiple flags.
4141
--reach-analysis-memory-limit The maximum memory for the reachability analysis as a whole number optionally followed by MB or GB (e.g. 512MB, 8GB). The default is 8GB.
4242
--reach-analysis-timeout Set the timeout for the reachability analysis as a whole number optionally followed by s, m or h (e.g. 90s, 10m, 1h). Defaults to 10m. Split analysis runs may cause the total scan time to exceed this timeout significantly.
4343
--reach-concurrency Set the maximum number of concurrent reachability analysis runs. It is recommended to choose a concurrency level that ensures each analysis run has at least the --reach-analysis-memory-limit amount of memory available.
44-
--reach-continue-on-analysis-errors Continue reachability analysis when errors occur (timeouts, OOM, parse errors, etc.), falling back to precomputed (Tier 2) results. By default, the CLI halts on analysis errors.
45-
--reach-continue-on-install-errors Continue reachability analysis when package installation fails, falling back to precomputed (Tier 2) results. By default, the CLI halts on installation errors.
44+
--reach-continue-on-analysis-errors Continue reachability analysis when errors occur (timeouts, OOM, parse errors, etc.), falling back to precomputed reachability results. By default, the CLI halts on analysis errors.
45+
--reach-continue-on-install-errors Continue reachability analysis when package installation fails, falling back to precomputed reachability results. By default, the CLI halts on installation errors.
4646
--reach-continue-on-missing-lock-files Continue reachability analysis when a Gradle or SBT project is missing its lock file (or version catalog / pre-generated SBOM). By default, the CLI halts.
4747
--reach-continue-on-no-source-files Continue reachability analysis when a workspace contains no source files for its ecosystem. By default, the CLI halts.
4848
--reach-debug Enable debug mode for reachability analysis. Provides verbose logging from the reachability CLI.
@@ -51,7 +51,7 @@ describe('socket scan reach', async () => {
5151
--reach-disable-external-tool-checks Disable external tool checks during reachability analysis.
5252
--reach-ecosystems List of ecosystems to conduct reachability analysis on, as either a comma separated value or as multiple flags. Defaults to all ecosystems.
5353
--reach-enable-analysis-splitting Allow the reachability analysis to partition CVEs into buckets that are processed in separate analysis runs. May improve accuracy, but not recommended by default.
54-
--reach-retain-facts-file Keep the \`.socket.facts.json\` reachability report that the analysis writes to the scan directory instead of deleting it after a successful scan. IMPORTANT: you must delete this file before running a fresh tier 1 reachability scan. A stale \`.socket.facts.json\` left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable.
54+
--reach-retain-facts-file Keep the \`.socket.facts.json\` reachability report that the analysis writes to the scan directory instead of deleting it after a successful scan. IMPORTANT: you must delete this file before running a fresh full application reachability scan. A stale \`.socket.facts.json\` left in place is picked up as a pre-generated input and silently overrides fresh analysis, so the new scan results will not be reliable.
5555
--reach-skip-cache Skip caching-based optimizations. By default, the reachability analysis will use cached configurations from previous runs to speed up the analysis.
5656
--reach-use-only-pregenerated-sboms When using this option, the scan is created based only on pre-generated CDX and SPDX files in your project.
5757
--reach-version Override the version of @coana-tech/cli used for reachability analysis. Default: <coana-version>.
@@ -1143,7 +1143,7 @@ describe('socket scan reach', async () => {
11431143
expect(output.length).toBeGreaterThan(0)
11441144
},
11451145
// Non-dry-run invocation actually starts Coana, which under v15
1146-
// performs more upfront work (tier1 scan registration, legacy-mode
1146+
// performs more upfront work (full application reachability scan registration, legacy-mode
11471147
// resolution) before failing on the bad memory limit. The default
11481148
// 30s cmdit timeout is too tight for that path on slower CI runners.
11491149
{ timeout: 60_000 },
@@ -1185,7 +1185,7 @@ describe('socket scan reach', async () => {
11851185
'should prioritize help over other flags',
11861186
async cmd => {
11871187
const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
1188-
expect(stdout).toContain('Compute tier 1 reachability')
1188+
expect(stdout).toContain('Compute full application reachability')
11891189
expect(code).toBe(0)
11901190
},
11911191
)

src/commands/scan/finalize-tier1-scan.mts

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,11 +8,13 @@ export type FinalizeTier1ScanOptions = {
88
}
99

1010
/**
11-
* Finalize a tier1 reachability scan.
12-
* - Associates the tier1 reachability scan metadata with the full scan
11+
* Finalize a full application reachability scan (formerly known as "tier 1";
12+
* the wire endpoint and request fields below retain the legacy tier1 name as
13+
* a backend contract).
14+
* - Associates the reachability scan metadata with the full scan
1315
* (or with `null` when called from a standalone reachability flow that
1416
* has no full scan to bind to).
15-
* - Transitions the tier1 reachability scan to its DONE terminal state.
17+
* - Transitions the reachability scan to its DONE terminal state.
1618
*/
1719
export async function finalizeTier1Scan(
1820
tier1ReachabilityScanId: string,

0 commit comments

Comments
 (0)