Add flag --reach-use-only-pregenerated-sboms (#969)

* add flag --reach-use-only-pregenerated-sboms

* prepare for 1.1.45

* update @coana-tech/cli to 14.12.122

Author: mtorp

CHANGELOG.md

@@ -3,6 +3,15 @@
 All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
+
+## [1.1.45](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.43) - 2025-12-10
+
+### Changed
+- Updated the Coana CLI to v `14.12.122`.
+
+### Added
+- Added `--reach-use-only-pregenerated-sboms` to run the Tier 1 reachability based only on pre-computed CDX and SPDX SBOMs (all other manifests are excluded).
+
 ## [1.1.44](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.43) - 2025-12-09
 
 ### Changed

package.json

@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "1.1.44",
+  "version": "1.1.45",
   "description": "CLI for Socket.dev",
   "homepage": "https://github.com/SocketDev/socket-cli",
   "license": "MIT AND OFL-1.1",
@@ -94,7 +94,7 @@
     "@babel/preset-typescript": "7.27.1",
     "@babel/runtime": "7.28.4",
     "@biomejs/biome": "2.2.4",
-    "@coana-tech/cli": "14.12.118",
+    "@coana-tech/cli": "14.12.122",
     "@cyclonedx/cdxgen": "11.11.0",
     "@dotenvx/dotenvx": "1.49.0",
     "@eslint/compat": "1.3.2",

pnpm-lock.yaml

@@ -60,6 +60,7 @@ export async function handleCi(autoManifest: boolean): Promise<void> {
       reachEcosystems: [],
       reachExcludePaths: [],
       reachSkipCache: false,
+      reachUseOnlyPregeneratedSboms: false,
       reachVersion: undefined,
       runReachabilityAnalysis: false,
     },

src/commands/ci/handle-ci.mts

@@ -244,6 +244,7 @@ async function run(
     reachDisableAnalysisSplitting,
     reachDisableAnalytics,
     reachSkipCache,
+    reachUseOnlyPregeneratedSboms,
     reachVersion,
     readOnly,
     reportLevel,
@@ -273,6 +274,7 @@ async function run(
     reachDisableAnalysisSplitting: boolean
     reachDisableAnalytics: boolean
     reachSkipCache: boolean
+    reachUseOnlyPregeneratedSboms: boolean
     reachVersion: string | undefined
   }
 
@@ -458,7 +460,8 @@ async function run(
     isUsingNonDefaultTimeout ||
     isUsingNonDefaultVersion ||
     reachDisableAnalysisSplitting ||
-    reachSkipCache
+    reachSkipCache ||
+    reachUseOnlyPregeneratedSboms
 
   // Validate target constraints when --reach is enabled.
   const reachTargetValidation = reach
@@ -573,6 +576,7 @@ async function run(
       reachEcosystems,
       reachExcludePaths,
       reachSkipCache: Boolean(reachSkipCache),
+      reachUseOnlyPregeneratedSboms: Boolean(reachUseOnlyPregeneratedSboms),
       reachVersion,
       runReachabilityAnalysis: Boolean(reach),
     },

src/commands/scan/cmd-scan-create.mts

@@ -63,6 +63,7 @@ describe('socket scan create', async () => {
             --reach-ecosystems  List of ecosystems to conduct reachability analysis on, as either a comma separated value or as multiple flags. Defaults to all ecosystems.
             --reach-exclude-paths  List of paths to exclude from reachability analysis, as either a comma separated value or as multiple flags.
             --reach-skip-cache  Skip caching-based optimizations. By default, the reachability analysis will use cached configurations from previous runs to speed up the analysis.
+            --reach-use-only-pregenerated-sboms  When using this option, the scan is created based only on pre-generated CDX and SPDX files in your project.
             --reach-version     Override the version of @coana-tech/cli used for reachability analysis. Default: <coana-version>.
 
           Uploads the specified dependency manifest files for Go, Gradle, JavaScript,

src/commands/scan/cmd-scan-create.test.mts

@@ -128,6 +128,7 @@ async function run(
     reachDisableAnalysisSplitting,
     reachDisableAnalytics,
     reachSkipCache,
+    reachUseOnlyPregeneratedSboms,
     reachVersion,
   } = cli.flags as {
     cwd: string
@@ -143,6 +144,7 @@ async function run(
     reachDisableAnalysisSplitting: boolean
     reachDisableAnalytics: boolean
     reachSkipCache: boolean
+    reachUseOnlyPregeneratedSboms: boolean
     reachVersion: string | undefined
   }
 
@@ -263,6 +265,7 @@ async function run(
       reachEcosystems,
       reachExcludePaths,
       reachSkipCache: Boolean(reachSkipCache),
+      reachUseOnlyPregeneratedSboms: Boolean(reachUseOnlyPregeneratedSboms),
       reachVersion,
     },
     targets,

src/commands/scan/cmd-scan-reach.mts

@@ -46,6 +46,7 @@ describe('socket scan reach', async () => {
             --reach-ecosystems  List of ecosystems to conduct reachability analysis on, as either a comma separated value or as multiple flags. Defaults to all ecosystems.
             --reach-exclude-paths  List of paths to exclude from reachability analysis, as either a comma separated value or as multiple flags.
             --reach-skip-cache  Skip caching-based optimizations. By default, the reachability analysis will use cached configurations from previous runs to speed up the analysis.
+            --reach-use-only-pregenerated-sboms  When using this option, the scan is created based only on pre-generated CDX and SPDX files in your project.
             --reach-version     Override the version of @coana-tech/cli used for reachability analysis. Default: <coana-version>.
 
           Runs the Socket reachability analysis without creating a scan in Socket.

src/commands/scan/cmd-scan-reach.test.mts

@@ -258,6 +258,7 @@ async function scanOneRepo(
       reachEcosystems: [],
       reachExcludePaths: [],
       reachSkipCache: false,
+      reachUseOnlyPregeneratedSboms: false,
       reachVersion: undefined,
       runReachabilityAnalysis: false,
     },

src/commands/scan/create-scan-from-github.mts

@@ -1,5 +1,7 @@
 import path from 'node:path'
 
+import micromatch from 'micromatch'
+
 import { debugDir, debugFn } from '@socketsecurity/registry/lib/debug'
 import { logger } from '@socketsecurity/registry/lib/logger'
 import { pluralize } from '@socketsecurity/registry/lib/words'
@@ -22,6 +24,41 @@ import type { ReachabilityOptions } from './perform-reachability-analysis.mts'
 import type { REPORT_LEVEL } from './types.mts'
 import type { OutputKind } from '../../types.mts'
 import type { Remap } from '@socketsecurity/registry/lib/objects'
+import type { SocketSdkSuccessResult } from '@socketsecurity/sdk'
+
+// Keys for CDX and SPDX in the supported files response.
+const CDX_SPDX_KEYS = ['cdx', 'spdx']
+
+function getCdxSpdxPatterns(
+  supportedFiles: SocketSdkSuccessResult<'getReportSupportedFiles'>['data'],
+): string[] {
+  const patterns: string[] = []
+  for (const key of CDX_SPDX_KEYS) {
+    const supported = supportedFiles[key]
+    if (supported) {
+      for (const entry of Object.values(supported)) {
+        patterns.push(`**/${entry.pattern}`)
+      }
+    }
+  }
+  return patterns
+}
+
+function filterToCdxSpdxAndFactsFiles(
+  filepaths: string[],
+  supportedFiles: SocketSdkSuccessResult<'getReportSupportedFiles'>['data'],
+): string[] {
+  const patterns = getCdxSpdxPatterns(supportedFiles)
+  return filepaths.filter(filepath => {
+    const basename = path.basename(filepath).toLowerCase()
+    // Include .socket.facts.json files.
+    if (basename === constants.DOT_SOCKET_DOT_FACTS_JSON) {
+      return true
+    }
+    // Include CDX and SPDX files.
+    return micromatch.some(filepath, patterns)
+  })
+}
 
 export type HandleCreateNewScanConfig = {
   autoManifest: boolean
@@ -187,14 +224,20 @@ export async function handleCreateNewScan({
 
     const reachabilityReport = reachResult.data?.reachabilityReport
 
+    // Ensure the .socket.facts.json isn't duplicated in case it happened
+    // to be in the scan folder before the analysis was run.
+    const filteredPackagePaths = packagePaths.filter(
+      p =>
+        path.basename(p).toLowerCase() !== constants.DOT_SOCKET_DOT_FACTS_JSON,
+    )
+
+    // When using pregenerated SBOMs only, filter to CDX/SPDX files.
+    const pathsForScan = reach.reachUseOnlyPregeneratedSboms
+      ? filterToCdxSpdxAndFactsFiles(filteredPackagePaths, supportedFiles)
+      : filteredPackagePaths
+
     scanPaths = [
-      ...packagePaths.filter(
-        // Ensure the .socket.facts.json isn't duplicated in case it happened
-        // to be in the scan folder before the analysis was run.
-        p =>
-          path.basename(p).toLowerCase() !==
-          constants.DOT_SOCKET_DOT_FACTS_JSON,
-      ),
+      ...pathsForScan,
       ...(reachabilityReport ? [reachabilityReport] : []),
     ]