Make shadow bin runs more silent

jdalton · jdalton · commit 86578bb3202c · 2025-09-03T07:52:46.000-04:00
diff --git a/src/commands/manifest/run-cdxgen.mts b/src/commands/manifest/run-cdxgen.mts
@@ -8,7 +8,10 @@ import { logger } from '@socketsecurity/registry/lib/logger'
 import constants from '../../constants.mts'
 import shadowBin from '../../shadow/npm/bin.mts'
 
-import type { ShadowBinResult } from '../../shadow/npm/bin.mts'
+import type {
+  ShadowBinOptions,
+  ShadowBinResult,
+} from '../../shadow/npm/bin.mts'
 
 const { PACKAGE_LOCK_JSON, YARN, YARN_LOCK } = constants
 
@@ -62,6 +65,15 @@ function argvToArray(argvObj: ArgvObject): string[] {
 export async function runCdxgen(argvObj: ArgvObject): Promise<ShadowBinResult> {
   let cleanupPackageLock = false
   const argvMutable = { __proto__: null, ...argvObj } as ArgvObject
+  const shadowOpts: ShadowBinOptions = {
+    ipc: {
+      [constants.SOCKET_CLI_SHADOW_ACCEPT_RISKS]: true,
+      [constants.SOCKET_CLI_SHADOW_API_TOKEN]:
+        constants.SOCKET_PUBLIC_API_TOKEN,
+      [constants.SOCKET_CLI_SHADOW_SILENT]: true,
+    },
+    stdio: 'inherit',
+  }
   if (
     argvMutable['type'] !== YARN &&
     nodejsPlatformTypes.has(argvMutable['type'] as string) &&
@@ -81,10 +93,7 @@ export async function runCdxgen(argvObj: ArgvObject): Promise<ShadowBinResult> {
             '--source-file',
             `./${YARN_LOCK}`,
           ],
-          {
-            apiToken: constants.SOCKET_PUBLIC_API_TOKEN,
-            stdio: 'inherit',
-          },
+          shadowOpts,
         )
         await synpPromise
         argvMutable['type'] = 'npm'
@@ -100,13 +109,7 @@ export async function runCdxgen(argvObj: ArgvObject): Promise<ShadowBinResult> {
       `@cyclonedx/cdxgen@${constants.ENV.INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION}`,
       ...argvToArray(argvMutable),
     ],
-    {
-      apiToken: constants.SOCKET_PUBLIC_API_TOKEN,
-      env: {
-        [constants.SOCKET_CLI_ACCEPT_RISKS]: '1',
-      },
-      stdio: 'inherit',
-    },
+    shadowOpts,
   )
 
   shadowResult.spawnPromise.process.on('exit', () => {
diff --git a/src/constants.mts b/src/constants.mts
@@ -26,13 +26,14 @@ const {
   },
 } = registryConstants
 
-type RegistryEnv = typeof registryConstants.ENV
+export type RegistryEnv = typeof registryConstants.ENV
 
-type RegistryInternals = (typeof registryConstants)['Symbol(kInternalsSymbol)']
+export type RegistryInternals =
+  (typeof registryConstants)['Symbol(kInternalsSymbol)']
 
-type Sentry = any
+export type Sentry = any
 
-type Internals = Remap<
+export type Internals = Remap<
   Omit<RegistryInternals, 'getIpc'> &
     Readonly<{
       getIpc: {
@@ -46,7 +47,7 @@ type Internals = Remap<
     }>
 >
 
-type ENV = Remap<
+export type ENV = Remap<
   RegistryEnv &
     Readonly<{
       DISABLE_GITHUB_CACHE: boolean
@@ -89,19 +90,21 @@ type ENV = Remap<
     }>
 >
 
-type ProcessEnv = {
+export type ProcessEnv = {
   [K in keyof ENV]?: string
 }
 
-type IPC = Readonly<{
+export type IPC = Readonly<{
   SOCKET_CLI_FIX?: string | undefined
   SOCKET_CLI_OPTIMIZE?: boolean | undefined
+  SOCKET_CLI_SHADOW_ACCEPT_RISKS?: boolean | undefined
   SOCKET_CLI_SHADOW_API_TOKEN?: string | undefined
   SOCKET_CLI_SHADOW_BIN?: string | undefined
   SOCKET_CLI_SHADOW_PROGRESS?: boolean | undefined
+  SOCKET_CLI_SHADOW_SILENT?: boolean | undefined
 }>
 
-type Constants = Remap<
+export type Constants = Remap<
   Omit<typeof registryConstants, 'Symbol(kInternalsSymbol)' | 'ENV' | 'IPC'> & {
     readonly 'Symbol(kInternalsSymbol)': Internals
     readonly ALERT_TYPE_CRITICAL_CVE: 'criticalCVE'
@@ -128,9 +131,11 @@ type Constants = Remap<
     readonly SOCKET_CLI_FIX: 'SOCKET_CLI_FIX'
     readonly SOCKET_CLI_ISSUES_URL: 'https://github.com/SocketDev/socket-cli/issues'
     readonly SOCKET_CLI_OPTIMIZE: 'SOCKET_CLI_OPTIMIZE'
+    readonly SOCKET_CLI_SHADOW_ACCEPT_RISKS: 'SOCKET_CLI_SHADOW_ACCEPT_RISKS'
     readonly SOCKET_CLI_SHADOW_API_TOKEN: 'SOCKET_CLI_SHADOW_API_TOKEN'
     readonly SOCKET_CLI_SHADOW_BIN: 'SOCKET_CLI_SHADOW_BIN'
     readonly SOCKET_CLI_SHADOW_PROGRESS: 'SOCKET_CLI_SHADOW_PROGRESS'
+    readonly SOCKET_CLI_SHADOW_SILENT: 'SOCKET_CLI_SHADOW_SILENT'
     readonly SOCKET_CLI_VIEW_ALL_RISKS: 'SOCKET_CLI_VIEW_ALL_RISKS'
     readonly SOCKET_DEFAULT_BRANCH: 'socket-default-branch'
     readonly SOCKET_DEFAULT_REPOSITORY: 'socket-default-repository'
@@ -199,9 +204,11 @@ const SOCKET_CLI_BIN_NAME = 'socket'
 const SOCKET_CLI_FIX = 'SOCKET_CLI_FIX'
 const SOCKET_CLI_ISSUES_URL = 'https://github.com/SocketDev/socket-cli/issues'
 const SOCKET_CLI_OPTIMIZE = 'SOCKET_CLI_OPTIMIZE'
+const SOCKET_CLI_SHADOW_ACCEPT_RISKS = 'SOCKET_CLI_SHADOW_ACCEPT_RISKS'
 const SOCKET_CLI_SHADOW_API_TOKEN = 'SOCKET_CLI_SHADOW_API_TOKEN'
 const SOCKET_CLI_SHADOW_BIN = 'SOCKET_CLI_SHADOW_BIN'
 const SOCKET_CLI_SHADOW_PROGRESS = 'SOCKET_CLI_SHADOW_PROGRESS'
+const SOCKET_CLI_SHADOW_SILENT = 'SOCKET_CLI_SHADOW_SILENT'
 const SOCKET_CLI_VIEW_ALL_RISKS = 'SOCKET_CLI_VIEW_ALL_RISKS'
 const SOCKET_DEFAULT_BRANCH = 'socket-default-branch'
 const SOCKET_DEFAULT_REPOSITORY = 'socket-default-repository'
@@ -639,9 +646,11 @@ const constants: Constants = createConstantsObject(
     SOCKET_CLI_FIX,
     SOCKET_CLI_ISSUES_URL,
     SOCKET_CLI_OPTIMIZE,
+    SOCKET_CLI_SHADOW_ACCEPT_RISKS,
     SOCKET_CLI_SHADOW_API_TOKEN,
     SOCKET_CLI_SHADOW_BIN,
     SOCKET_CLI_SHADOW_PROGRESS,
+    SOCKET_CLI_SHADOW_SILENT,
     SOCKET_CLI_VIEW_ALL_RISKS,
     SOCKET_DEFAULT_BRANCH,
     SOCKET_DEFAULT_REPOSITORY,
diff --git a/src/shadow/npm/arborist/lib/arborist/index.mts b/src/shadow/npm/arborist/lib/arborist/index.mts
@@ -1,6 +1,7 @@
 // @ts-ignore
 import UntypedArborist from '@npmcli/arborist/lib/arborist/index.js'
 
+import { debugDir } from '@socketsecurity/registry/lib/debug'
 import { logger } from '@socketsecurity/registry/lib/logger'
 
 import constants from '../../../../../constants.mts'
@@ -14,11 +15,6 @@ import type {
 } from '../../types.mts'
 
 const {
-  SOCKET_CLI_ACCEPT_RISKS,
-  SOCKET_CLI_SHADOW_API_TOKEN,
-  SOCKET_CLI_SHADOW_BIN,
-  SOCKET_CLI_SHADOW_PROGRESS,
-  SOCKET_CLI_VIEW_ALL_RISKS,
   kInternalsSymbol,
   [kInternalsSymbol as unknown as 'Symbol(kInternalsSymbol)']: { getIpc },
 } = constants
@@ -96,11 +92,15 @@ export class SafeArborist extends Arborist {
       __proto__: null,
       ...(args.length ? args[0] : undefined),
     } as ArboristReifyOptions
+
     const ipc = await getIpc()
-    const binName = ipc[SOCKET_CLI_SHADOW_BIN]
+    debugDir('inspect', { ipc })
+
+    const binName = ipc[constants.SOCKET_CLI_SHADOW_BIN]
     if (!binName) {
       return await this[kRiskyReify](...args)
     }
+
     await super.reify(
       {
         ...options,
@@ -110,13 +110,19 @@ export class SafeArborist extends Arborist {
       // @ts-ignore: TypeScript gets grumpy about rest parameters.
       ...args.slice(1),
     )
-    const acceptRisks = constants.ENV.SOCKET_CLI_ACCEPT_RISKS
-    const progress = ipc[SOCKET_CLI_SHADOW_PROGRESS]
-    const spinner =
-      options['silent'] || !progress ? undefined : constants.spinner
+
+    const shadowAcceptRisks = ipc[constants.SOCKET_CLI_SHADOW_ACCEPT_RISKS]
+    const shadowProgress = ipc[constants.SOCKET_CLI_SHADOW_PROGRESS]
+    const shadowSilent = ipc[constants.SOCKET_CLI_SHADOW_SILENT]
+
+    const acceptRisks =
+      shadowAcceptRisks || constants.ENV.SOCKET_CLI_ACCEPT_RISKS
+    const silent = !!options['silent']
+    const spinner = silent || !shadowProgress ? undefined : constants.spinner
     const isShadowNpx = binName === 'npx'
+
     const alertsMap = await getAlertsMapFromArborist(this, {
-      apiToken: ipc[SOCKET_CLI_SHADOW_API_TOKEN],
+      apiToken: ipc[constants.SOCKET_CLI_SHADOW_API_TOKEN],
       spinner,
       filter:
         acceptRisks || options.dryRun || options['yes']
@@ -130,6 +136,7 @@ export class SafeArborist extends Arborist {
               existing: isShadowNpx,
             },
     })
+
     if (alertsMap.size) {
       process.exitCode = 1
       const viewAllRisks = constants.ENV.SOCKET_CLI_VIEW_ALL_RISKS
@@ -142,22 +149,23 @@ export class SafeArborist extends Arborist {
           Socket ${binName} exiting due to risks.${
             viewAllRisks
               ? ''
-              : `\nView all risks - Rerun with environment variable ${SOCKET_CLI_VIEW_ALL_RISKS}=1.`
+              : `\nView all risks - Rerun with environment variable ${constants.SOCKET_CLI_VIEW_ALL_RISKS}=1.`
           }${
             acceptRisks
               ? ''
-              : `\nAccept risks - Rerun with environment variable ${SOCKET_CLI_ACCEPT_RISKS}=1.`
+              : `\nAccept risks - Rerun with environment variable ${constants.SOCKET_CLI_ACCEPT_RISKS}=1.`
           }
         `.trim(),
       )
-    } else if (!options['silent']) {
+    } else if (!silent && !shadowSilent) {
       logger.success(
         `Socket ${binName} ${acceptRisks ? 'accepted' : 'found no'} risks`,
       )
       if (isShadowNpx) {
         logger.log(`Running ${options.add![0]}`)
       }
     }
+
     return await this[kRiskyReify](...args)
   }
 }
diff --git a/src/shadow/npm/bin.mts b/src/shadow/npm/bin.mts
@@ -12,14 +12,15 @@ import constants from '../../constants.mts'
 import { cmdFlagsToString } from '../../utils/cmd.mts'
 import { getPublicApiToken } from '../../utils/sdk.mts'
 
+import type { IPC } from '../../constants.mts'
 import type {
   SpawnExtra,
   SpawnOptions,
   SpawnResult,
 } from '@socketsecurity/registry/lib/spawn'
 
 export type ShadowBinOptions = SpawnOptions & {
-  apiToken?: string | undefined
+  ipc?: IPC | undefined
 }
 
 export type ShadowBinResult = {
@@ -33,8 +34,8 @@ export default async function shadowBin(
   extra?: SpawnExtra | undefined,
 ): Promise<ShadowBinResult> {
   const {
-    apiToken = getPublicApiToken(),
     env: spawnEnv,
+    ipc,
     ...spawnOpts
   } = { __proto__: null, ...options } as ShadowBinOptions
   const isShadowNpm = binName === 'npm'
@@ -119,9 +120,10 @@ export default async function shadowBin(
 
   spawnPromise.process.send({
     [constants.SOCKET_IPC_HANDSHAKE]: {
-      [constants.SOCKET_CLI_SHADOW_API_TOKEN]: apiToken,
+      [constants.SOCKET_CLI_SHADOW_API_TOKEN]: getPublicApiToken(),
       [constants.SOCKET_CLI_SHADOW_BIN]: binName,
       [constants.SOCKET_CLI_SHADOW_PROGRESS]: progressArg,
+      ...ipc,
     },
   })
 
diff --git a/src/utils/alert/artifact.mts b/src/utils/alert/artifact.mts
@@ -7,7 +7,7 @@ import type {
   CompactSocketArtifact,
   CompactSocketArtifactAlert,
   SocketArtifact,
-  SocketArtifactAlert
+  SocketArtifactAlert,
 } from '@socketsecurity/sdk'
 
 export type {
@@ -16,7 +16,7 @@ export type {
   CompactSocketArtifact,
   CompactSocketArtifactAlert,
   SocketArtifact,
-  SocketArtifactAlert
+  SocketArtifactAlert,
 }
 
 export type CVE_ALERT_TYPE = 'cve' | 'mediumCVE' | 'mildCVE' | 'criticalCVE'
diff --git a/src/utils/coana.mts b/src/utils/coana.mts
@@ -5,11 +5,9 @@ import constants from '../constants.mts'
 import { getDefaultApiToken } from './sdk.mts'
 import shadowBin from '../shadow/npm/bin.mts'
 
+import type { ShadowBinOptions } from '../shadow/npm/bin.mts'
 import type { CResult } from '../types.mts'
-import type {
-  SpawnExtra,
-  SpawnOptions,
-} from '@socketsecurity/registry/lib/spawn'
+import type { SpawnExtra } from '@socketsecurity/registry/lib/spawn'
 
 export function extractTier1ReachabilityScanId(
   socketFactsFile: string,
@@ -26,13 +24,17 @@ export function extractTier1ReachabilityScanId(
 export async function spawnCoana(
   args: string[] | readonly string[],
   orgSlug?: string,
-  options?: SpawnOptions | undefined,
+  options?: ShadowBinOptions | undefined,
   extra?: SpawnExtra | undefined,
 ): Promise<CResult<string>> {
-  const { env: spawnEnv, ...spawnOpts } = {
+  const {
+    env: spawnEnv,
+    ipc,
+    ...spawnOpts
+  } = {
     __proto__: null,
     ...options,
-  } as SpawnOptions
+  } as ShadowBinOptions
   const mixinsEnv: Record<string, string> = {
     SOCKET_CLI_VERSION: constants.ENV.INLINED_SOCKET_CLI_VERSION,
   }
@@ -60,11 +62,16 @@ export async function spawnCoana(
       ],
       {
         ...spawnOpts,
-        apiToken: constants.SOCKET_PUBLIC_API_TOKEN,
         env: {
           ...mixinsEnv,
           ...spawnEnv,
-          [constants.SOCKET_CLI_ACCEPT_RISKS]: '1',
+        },
+        ipc: {
+          [constants.SOCKET_CLI_SHADOW_ACCEPT_RISKS]: true,
+          [constants.SOCKET_CLI_SHADOW_API_TOKEN]:
+            constants.SOCKET_PUBLIC_API_TOKEN,
+          [constants.SOCKET_CLI_SHADOW_SILENT]: true,
+          ...ipc,
         },
       },
       extra,
