Merge branch 'main' into dependabot/pip/pyinstaller-6.20.0

omerr-cycode · web-flow · commit 5e7608df8510 · 2026-06-03T07:52:57.000+03:00
diff --git a/.github/workflows/build_executable.yml b/.github/workflows/build_executable.yml
@@ -38,7 +38,7 @@ jobs:
     steps:
       - name: Run Cimon
         if: matrix.os == 'ubuntu-22.04'
-        uses: cycodelabs/cimon-action@3ca67e875f34772093aa3bf3c185a711720bf5d9 # v0.10.1
+        uses: cycodelabs/cimon-action@a0870cc3d9e3bf3cedd28bdb67bf3fd3281e5941 # v1.0.1
         with:
           client-id: ${{ secrets.CIMON_CLIENT_ID }}
           secret: ${{ secrets.CIMON_SECRET }}
@@ -313,7 +313,7 @@ jobs:
 
       - name: Upload files to release
         if: ${{ github.event_name == 'workflow_dispatch' && inputs.publish }}
-        uses: svenstaro/upload-release-action@b98a3b12e86552593f3e4e577ca8a62aa2f3f22b # v2
+        uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2
         with:
           file: dist/*
           tag: ${{ env.LATEST_TAG }}
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -76,7 +76,7 @@ jobs:
       - name: Build and push
         id: docker_build
         if: ${{ github.event_name == 'workflow_dispatch' || startsWith(github.ref, 'refs/tags/v') }}
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           context: .
           platforms: linux/amd64,linux/arm64
@@ -86,7 +86,7 @@ jobs:
       - name: Verify build
         id: docker_verify_build
         if: ${{ github.event_name != 'workflow_dispatch' && !startsWith(github.ref, 'refs/tags/v') }}
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           context: .
           platforms: linux/amd64,linux/arm64
diff --git a/.github/workflows/pre_release.yml b/.github/workflows/pre_release.yml
@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Run Cimon
-        uses: cycodelabs/cimon-action@3ca67e875f34772093aa3bf3c185a711720bf5d9 # v0.10.1
+        uses: cycodelabs/cimon-action@a0870cc3d9e3bf3cedd28bdb67bf3fd3281e5941 # v1.0.1
         with:
           client-id: ${{ secrets.CIMON_CLIENT_ID }}
           secret: ${{ secrets.CIMON_SECRET }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Run Cimon
-        uses: cycodelabs/cimon-action@3ca67e875f34772093aa3bf3c185a711720bf5d9 # v0.10.1
+        uses: cycodelabs/cimon-action@a0870cc3d9e3bf3cedd28bdb67bf3fd3281e5941 # v1.0.1
         with:
           client-id: ${{ secrets.CIMON_CLIENT_ID }}
           secret: ${{ secrets.CIMON_SECRET }}
diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Run Cimon
-        uses: cycodelabs/cimon-action@3ca67e875f34772093aa3bf3c185a711720bf5d9 # v0.10.1
+        uses: cycodelabs/cimon-action@a0870cc3d9e3bf3cedd28bdb67bf3fd3281e5941 # v1.0.1
         with:
           client-id: ${{ secrets.CIMON_CLIENT_ID }}
           secret: ${{ secrets.CIMON_SECRET }}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -11,7 +11,7 @@ jobs:
 
     steps:
       - name: Run Cimon
-        uses: cycodelabs/cimon-action@3ca67e875f34772093aa3bf3c185a711720bf5d9 # v0.10.1
+        uses: cycodelabs/cimon-action@a0870cc3d9e3bf3cedd28bdb67bf3fd3281e5941 # v1.0.1
         with:
           client-id: ${{ secrets.CIMON_CLIENT_ID }}
           secret: ${{ secrets.CIMON_SECRET }}
diff --git a/.github/workflows/tests_full.yml b/.github/workflows/tests_full.yml
@@ -24,7 +24,7 @@ jobs:
     steps:
       - name: Run Cimon
         if: matrix.os == 'ubuntu-latest'
-        uses: cycodelabs/cimon-action@3ca67e875f34772093aa3bf3c185a711720bf5d9 # v0.10.1
+        uses: cycodelabs/cimon-action@a0870cc3d9e3bf3cedd28bdb67bf3fd3281e5941 # v1.0.1
         with:
           client-id: ${{ secrets.CIMON_CLIENT_ID }}
           secret: ${{ secrets.CIMON_SECRET }}
diff --git a/cycode/cli/apps/scan/scan_command.py b/cycode/cli/apps/scan/scan_command.py
@@ -28,17 +28,32 @@
 _SECRET_RICH_HELP_PANEL = 'Secret options'
 
 
+def _single_value_callback(ctx: typer.Context, param: typer.CallbackParam, value: list) -> list:
+    if len(value) > 1:
+        values_str = ', '.join(str(v) for v in value)
+        param_hint = '/'.join(sorted(param.opts, key=len))
+        err = typer.BadParameter(
+            f'Only one value can be specified per command. Got: {values_str}. Run a separate command for each value.',
+            ctx=ctx,
+            param_hint=param_hint,
+        )
+        err.exit_code = 1
+        raise err
+    return value
+
+
 def scan_command(
     ctx: typer.Context,
     scan_type: Annotated[
-        ScanTypeOption,
+        list[ScanTypeOption],
         typer.Option(
             '--scan-type',
             '-t',
             help='Specify the type of scan you wish to execute.',
             case_sensitive=False,
+            callback=_single_value_callback,
         ),
-    ] = ScanTypeOption.SECRET,
+    ] = (ScanTypeOption.SECRET,),
     soft_fail: Annotated[
         bool, typer.Option('--soft-fail', help='Run the scan without failing; always return a non-error status code.')
     ] = False,
@@ -137,6 +152,9 @@ def scan_command(
             param_hint='--export-file',
         )
 
+    # _single_value_callback validated exactly one value was provided; unwrap from list
+    scan_type = scan_type[0]
+
     ctx.obj['show_secret'] = show_secret
     ctx.obj['soft_fail'] = soft_fail
     ctx.obj['stop_on_error'] = stop_on_error
diff --git a/tests/cli/commands/scan/test_scan_command.py b/tests/cli/commands/scan/test_scan_command.py
@@ -1,11 +1,19 @@
+import re
+
 import click
 import pytest
 import typer
+from typer.testing import CliRunner
 
+from cycode.cli.app import app
 from cycode.cli.apps.scan.scan_command import scan_command_result_callback
 from cycode.cli.consts import ISSUE_DETECTED_STATUS_CODE, NO_ISSUES_STATUS_CODE, SCAN_ERROR_STATUS_CODE
 
 
+def _strip_ansi(text: str) -> str:
+    return re.sub(r'\x1b\[[0-9;]*[mGKHF]', '', text)
+
+
 def _make_ctx(**obj_overrides: object) -> click.Context:
     obj = {
         'soft_fail': False,
@@ -25,6 +33,21 @@ def _invoke_result_callback(ctx: click.Context) -> int:
     return exc_info.value.exit_code
 
 
+class TestScanCommand:
+    def test_multiple_scan_types_rejected(self) -> None:
+        result = CliRunner().invoke(app, ['scan', '-t', 'iac', '-t', 'sast', 'path', '.'])
+        assert result.exit_code == 1
+        output = _strip_ansi(result.output)
+        assert '-t/--scan-type' in output
+        assert 'iac' in output
+        assert 'sast' in output
+
+    def test_single_scan_type_accepted(self) -> None:
+        result = CliRunner().invoke(app, ['scan', '-t', 'iac', '--help'])
+        assert result.exit_code == 0
+        assert 'Error' not in result.output
+
+
 class TestScanCommandResultCallback:
     def test_no_issues_no_errors_exits_zero(self) -> None:
         assert _invoke_result_callback(_make_ctx()) == NO_ISSUES_STATUS_CODE
