Add --workspace flag for full scan association

Signed-off-by: lelia <lelia@socket.dev>

Author: lelia

packages/cli/src/commands/scan/cmd-scan-create.mts

@@ -74,6 +74,7 @@ interface ScanCreateFlags {
   reportLevel: REPORT_LEVEL
   setAsAlertsPage: boolean
   tmp: boolean
+  workspace: string
 }
 
 export const CMD_NAME = 'create'
@@ -165,6 +166,12 @@ const generalFlags: MeowFlags = {
     shortFlag: 'r',
     description: 'Repository name',
   },
+  workspace: {
+    type: 'string',
+    default: '',
+    description:
+      'The workspace in the Socket Organization that the repository is in to associate with the full scan.',
+  },
   report: {
     type: 'boolean',
     description:
@@ -319,6 +326,7 @@ async function run(
     branch: branchName,
     repo: repoName,
     report,
+    workspace,
   } = cli.flags as unknown as ScanCreateFlags
 
   let { 0: orgSlug } = await determineOrgSlug(
@@ -363,6 +371,10 @@ async function run(
       repoName = await getRepoName(cwd)
     }
   }
+  if (!workspace && sockJson.defaults?.scan?.create?.workspace) {
+    workspace = sockJson.defaults.scan.create.workspace
+    logger.info(`Using default --workspace from ${SOCKET_JSON}:`, workspace)
+  }
   if (typeof report !== 'boolean') {
     if (sockJson.defaults?.scan?.create?.report !== undefined) {
       report = sockJson.defaults.scan.create.report
@@ -639,5 +651,6 @@ async function run(
     reportLevel,
     targets,
     tmp: Boolean(tmp),
+    workspace: (workspace && String(workspace)) || '',
   })
 }

packages/cli/src/commands/scan/fetch-create-org-full-scan.mts

@@ -14,6 +14,7 @@ export type FetchCreateOrgFullScanConfigs = {
   pullRequest: number
   repoName: string
   scanType: string | undefined
+  workspace?: string | undefined
 }
 
 export type FetchCreateOrgFullScanOptions = {
@@ -40,6 +41,7 @@ export async function fetchCreateOrgFullScan(
     pullRequest,
     repoName,
     scanType,
+    workspace,
   } = { __proto__: null, ...config } as FetchCreateOrgFullScanConfigs
 
   const {
@@ -71,6 +73,7 @@ export async function fetchCreateOrgFullScan(
       ...(pullRequest ? { pull_request: String(pullRequest) } : {}),
       ...(repoName ? { repo: repoName } : {}),
       ...(scanType ? { scan_type: scanType } : {}),
+      ...(workspace ? { workspace } : {}),
       ...(pendingHead !== undefined
         ? { set_as_pending_head: Boolean(pendingHead) }
         : {}),

packages/cli/src/commands/scan/handle-create-new-scan.mts

@@ -68,6 +68,7 @@ export type HandleCreateNewScanConfig = {
   reportLevel: REPORT_LEVEL
   targets: string[]
   tmp: boolean
+  workspace?: string | undefined
 }
 
 export async function handleCreateNewScan({
@@ -91,8 +92,12 @@ export async function handleCreateNewScan({
   reportLevel,
   targets,
   tmp,
+  workspace,
 }: HandleCreateNewScanConfig): Promise<void> {
-  debug('notice', `Creating new scan for ${orgSlug}/${repoName}`)
+  debug(
+    'notice',
+    `Creating new scan for ${orgSlug}/${workspace ? `${workspace}/` : ''}${repoName}`,
+  )
   debugDir('inspect', {
     autoManifest,
     branchName,
@@ -106,6 +111,7 @@ export async function handleCreateNewScan({
     reportLevel,
     targets,
     tmp,
+    workspace,
   })
 
   if (autoManifest) {
@@ -288,6 +294,7 @@ export async function handleCreateNewScan({
       scanType: reach.runReachabilityAnalysis
         ? SCAN_TYPE_SOCKET_TIER1
         : SCAN_TYPE_SOCKET,
+      workspace,
     },
     {
       cwd,

packages/cli/src/commands/scan/setup-scan-config.mts

@@ -9,6 +9,7 @@ import { SOCKET_JSON } from '../../constants/paths.mts'
 import {
   detectDefaultBranch,
   getRepoName,
+  getRepoOwner,
   gitBranch,
 } from '../../utils/git/operations.mjs'
 import {
@@ -156,6 +157,22 @@ async function configureScan(
     delete config.repo
   }
 
+  const defaultWorkspace = await input({
+    message:
+      '(--workspace) The workspace in the Socket Organization that the repository is in to associate with the full scan.',
+    default: config.workspace || (await getRepoOwner(cwd)) || '',
+    required: false,
+    // validate: async string => bool
+  })
+  if (defaultWorkspace === undefined) {
+    return canceledByUser()
+  }
+  if (defaultWorkspace) {
+    config.workspace = defaultWorkspace
+  } else {
+    delete config.workspace
+  }
+
   const defaultBranchName = await input({
     message:
       '(--branch) What branch name (slug) should be reported to Socket for this dir?',

packages/cli/src/utils/basics/vfs-extract.mts

@@ -13,22 +13,16 @@
  */
 
 import { createHash } from 'node:crypto'
-import { existsSync, promises as fs } from 'node:fs'
 import { homedir } from 'node:os'
 import path from 'node:path'
 
 import { debug } from '@socketsecurity/lib/debug'
-import { safeDelete, safeMkdir } from '@socketsecurity/lib/fs'
 import { getDefaultLogger } from '@socketsecurity/lib/logger'
 import { normalizePath } from '@socketsecurity/lib/paths/normalize'
 import { spawn } from '@socketsecurity/lib/spawn'
 
 import { UPDATE_STORE_DIR } from '../../constants/paths.mts'
-import { getOpengrepVersion } from '../../env/opengrep-version.mts'
-import { getPyCliVersion } from '../../env/pycli-version.mts'
 import { getPythonMajorMinor } from '../../env/python-version.mts'
-import { getTrivyVersion } from '../../env/trivy-version.mts'
-import { getTrufflehogVersion } from '../../env/trufflehog-version.mts'
 import { isSeaBinary } from '../sea/detect.mts'
 
 const logger = getDefaultLogger()
@@ -167,7 +161,9 @@ export async function extractBasicsTools(
 
   const isPlatWin = process.platform === 'win32'
   const tools = BASICS_TOOLS
-  const extractedPaths: Record<string, string> = {}
+  const extractedPaths: Partial<
+    Record<(typeof BASICS_TOOLS)[number], string>
+  > = {}
 
   try {
     // Extract all tools using process.smol.mount().
@@ -195,9 +191,14 @@ export async function extractBasicsTools(
     // Validate all extracted binaries work after extraction.
     logger.group('Validating extracted basics tools...')
 
+    const pythonRoot = extractedPaths['python']
+    if (!pythonRoot) {
+      throw new Error('Failed to extract python from VFS')
+    }
+
     const pythonExe = isPlatWin ? 'python3.exe' : 'python3'
     const pythonPath = normalizePath(
-      path.join(extractedPaths.python, 'bin', pythonExe),
+      path.join(pythonRoot, 'bin', pythonExe),
     )
 
     const validateResult = await spawn(pythonPath, ['--version'], {
@@ -239,7 +240,7 @@ export async function extractBasicsTools(
 
     logger.success('Basics tools extracted and validated')
     // Return the Python directory path for backward compatibility.
-    return extractedPaths.python
+    return pythonRoot
   } catch (e) {
     logger.error('VFS extraction failed')
     throw e

packages/cli/src/utils/dlx/vfs-extract.mts

@@ -79,18 +79,17 @@ import { isSeaBinary } from '../sea/detect.mts'
 const logger = getDefaultLogger()
 
 // External tool names bundled in VFS.
-// Currently only includes standalone binaries that are packaged in the VFS tarball.
-// npm packages (cdxgen, coana, socket-patch, synp) will be added in future updates.
-export const EXTERNAL_TOOLS = [
-  'sfw',
-] as const
+// Includes standalone binaries and npm-packaged tools (with dependencies).
+export const EXTERNAL_TOOLS = ['cdxgen', 'coana', 'sfw', 'socket-patch', 'synp'] as const
 
 export type ExternalTool = (typeof EXTERNAL_TOOLS)[number]
 
 // Map of npm package tools to their node_modules/ paths.
 // These are full npm packages with dependencies and node_modules/ subdirectories.
 // Standalone binaries (like sfw) are NOT in this map - they use direct file paths.
-const TOOL_NPM_PATHS: Partial<Record<ExternalTool, { packageName: string; binPath: string }>> = {
+const TOOL_NPM_PATHS: Partial<
+  Record<ExternalTool, { packageName: string; binPath: string }>
+> = {
   cdxgen: {
     packageName: '@cyclonedx/cdxgen',
     binPath: 'node_modules/@cyclonedx/cdxgen/bin/cdxgen',

packages/cli/src/utils/socket/json.mts

@@ -72,6 +72,7 @@ export interface SocketJson {
         repo?: string | undefined
         report?: boolean | undefined
         branch?: string | undefined
+        workspace?: string | undefined
       }
       github?: {
         all?: boolean | undefined

packages/cli/test/unit/commands/scan/fetch-create-org-full-scan.test.mts

@@ -90,6 +90,36 @@ describe('fetchCreateOrgFullScan', () => {
     expect(result.ok).toBe(true)
   })
 
+  it('passes workspace when provided', async () => {
+    const { fetchCreateOrgFullScan } = await import(
+      '../../../../../src/commands/scan/fetch-create-org-full-scan.mts'
+    )
+
+    const { mockSdk } = await setupSdkMockSuccess('createFullScan', {})
+
+    const config = {
+      branchName: 'main',
+      commitHash: 'abc123',
+      commitMessage: 'Initial commit',
+      committers: 'john@example.com',
+      pullRequest: 42,
+      repoName: 'test-repo',
+      workspace: 'test-workspace',
+    }
+
+    await fetchCreateOrgFullScan(['/path/to/package.json'], 'test-org', config)
+
+    expect(mockSdk.createFullScan).toHaveBeenCalledWith(
+      'test-org',
+      ['/path/to/package.json'],
+      expect.objectContaining({
+        pathsRelativeTo: process.cwd(),
+        repo: 'test-repo',
+        workspace: 'test-workspace',
+      }),
+    )
+  })
+
   it('handles SDK setup failure', async () => {
     const { fetchCreateOrgFullScan } = await import(
       '../../../../../src/commands/scan/fetch-create-org-full-scan.mts'