Skip to content

Mucha/gitlab branch protection flag#162

Closed
jonathanStrange0 wants to merge 8 commits intomainfrom
mucha/gitlab-branch-protection-flag
Closed

Mucha/gitlab branch protection flag#162
jonathanStrange0 wants to merge 8 commits intomainfrom
mucha/gitlab-branch-protection-flag

Conversation

@jonathanStrange0
Copy link
Contributor

@jonathanStrange0 jonathanStrange0 commented Feb 12, 2026

Adds --enable-commit-status flag to post a success/failed commit status to
GitLab after scan, enabling merge blocking on Socket findings:

  • set_commit_status() — posts commit status (socket-security-commit-status)
    with state, description, and optional report link
  • enable_merge_pipeline_check() — enables "pipelines must succeed" on the MR
    target project via API
  • --enable-commit-status CLI flag (default off) wired into main_code() to call
    both methods after scan
  • Prefers CI_MERGE_REQUEST_SOURCE_BRANCH_SHA over CI_COMMIT_SHA to handle
    merged-results pipelines
  • Includes 401 auth fallback (Bearer → PRIVATE-TOKEN) on both new endpoints
  • Unit tests covering payload shape, auth fallback, skip-when-no-MR, and
    graceful error handling
  • UAT doc with pass/fail/omitted/non-MR/API-failure/non-GitLab scenarios

Why?

GitLab users had no way to block MR merges based on Socket scan results. The
CLI exited non-zero on blocking alerts, but that only fails the pipeline — it
doesn't surface a named status check. With --enable-commit-status, Socket
posts a dedicated commit status that repo admins can require on protected
branches, giving explicit merge-gate control tied to Socket findings without
relying solely on pipeline pass/fail.

Public Changelog

N/A

Jonathan Mucha and others added 8 commits February 5, 2026 14:37
added ability to prevent merges based on failed check run
878b4b1
updated json format for gitlab api call
24b8362
@claude
fix: use source branch SHA for commit status, log response body
697a121 
CI_COMMIT_SHA may be synthetic in merged-results pipelines.
Prefer CI_MERGE_REQUEST_SOURCE_BRANCH_SHA when available.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude
fix: use context instead of name for commit status
6946be4 
GitLab rejects duplicate name field; context allows updates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude
fix: add ref and pipeline_id to commit status payload
f91653f 
GitLab uses (sha, name, ref) as unique key. Without ref,
re-runs fail with "name has already been taken".

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude
fix: drop pipeline_id from commit status payload
476b510 
pipeline_id causes 404 when sha/ref don't match the pipeline.
ref alone is sufficient for uniqueness.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
renaming the commit status
d0c568a
@claude
Add enable_merge_pipeline_check() to enforce pipelines-must-succeed v…
fb456f3 
…ia API

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jonathanStrange0 jonathanStrange0 requested a review from a team as a code owner February 12, 2026 17:07
@github-actions
Copy link

github-actions bot commented Feb 12, 2026

Version Check Failed

Please increment...

@github-actions
Copy link

github-actions bot commented Feb 12, 2026

🚀 Preview package published!

Install with:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.2.72.dev9

Docker image: socketdev/cli:pr-162

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jonathanStrange0