fix: improve custom SAST rule activation, filtering semantics + config observability

[lelia]

Summary

This PR improves custom SAST execution gaps and makes config behavior observable in logs. It also hardens precedence handling so environment/API custom-rule settings are not unintentionally overwritten by CLI defaults.

Changes

• Normalize custom SAST API fields:
  • useCustomSastRules -> use_custom_sast_rules
  • customSastRulePath / customSastRulesPath -> custom_sast_rule_path
• Improve runtime observability:
  • config-source/effective custom SAST logs
  • OpenGrep rule selection logs (custom vs bundled)
  • enabled-rule filter visibility
• Fix dynamic CLI arg defaults:
  • use None defaults for dynamic string/int args so absent CLI args do not override env/API config
• Adjust custom-rule filtering semantics:
  • when using custom rules, and allowlist IDs do not match custom rule IDs, use all custom rules for that language and warn the user
  • when allowlist IDs do match custom IDs, apply allowlist as expected
• Clarify docs for custom rules and precedence

Adds

• tests/test_config_custom_sast.py
  • API normalization tests
  • env/API/JSON merge precedence tests
  • regression test for dynamic CLI default overwrite issue
• tests/test_opengrep_custom_rules.py
  • custom-vs-bundled config selection tests
  • custom allowlist mismatch/match semantic tests
  • fallback logic test

Testing

• All new and existing unit tests pass
• Local dry-run validation confirming:
  • resolved custom path
  • temp custom rule files generated
  • OpenGrep command uses custom temp files
  • warning when allowlist IDs do not match custom IDs

[Carl Bergenhem (bergenhem)]

Tested the following:

• ✅ Listed out the custom rules using javascript_enabled_rules and python_enabled_rules with custom_sast_rule_path.
• ✅ Use only javascript_sast_enabled, use_custom_sast_rules, and custom_sast_rule_path
• ❌ Tried to use the dashboard to list the custom rules using javascript_sast_enabled: 'true', python_sast_enabled: 'true' and use_custom_sast_rules: 'true' but the custom rules from the dashboard were not picked up.

Here are the logs from the last attempt using the dashboard UI:

Run SocketDev/socket-basics@2ed98fe2a26e03592d226aaa7034a928932e140c
/usr/bin/docker run --name d7e5006d0a62f9940cd937cc34321a337c7_45a1fe --label 822d7e --workdir /github/workspace --rm -e "GITHUB_PR_NUMBER" -e "INPUT_GITHUB_TOKEN" -e "INPUT_SOCKET_ORG" -e "INPUT_SOCKET_SECURITY_API_KEY" -e "INPUT_JAVASCRIPT_SAST_ENABLED" -e "INPUT_PYTHON_SAST_ENABLED" -e "INPUT_USE_CUSTOM_SAST_RULES" -e "INPUT_TRUFFLEHOG_SHOW_UNVERIFIED" -e "INPUT_WORKSPACE" -e "INPUT_GITHUB_API_URL" -e "INPUT_ALL_LANGUAGES_ENABLED" -e "INPUT_ALL_RULES_ENABLED" -e "INPUT_C_DISABLED_RULES" -e "INPUT_C_ENABLED_RULES" -e "INPUT_C_SAST_ENABLED" -e "INPUT_CONTAINER_IMAGES" -e "INPUT_CUSTOM_SAST_RULE_PATH" -e "INPUT_CPP_DISABLED_RULES" -e "INPUT_CPP_ENABLED_RULES" -e "INPUT_CPP_SAST_ENABLED" -e "INPUT_CSHARP_DISABLED_RULES" -e "INPUT_CSHARP_ENABLED_RULES" -e "INPUT_CSHARP_SAST_ENABLED" -e "INPUT_DISABLE_ALL_SECRETS" -e "INPUT_DOCKERFILES" -e "INPUT_DOTNET_DISABLED_RULES" -e "INPUT_DOTNET_ENABLED_RULES" -e "INPUT_DOTNET_SAST_ENABLED" -e "INPUT_ELIXIR_DISABLED_RULES" -e "INPUT_ELIXIR_ENABLED_RULES" -e "INPUT_ELIXIR_SAST_ENABLED" -e "INPUT_ERLANG_SAST_ENABLED" -e "INPUT_GO_DISABLED_RULES" -e "INPUT_GO_ENABLED_RULES" -e "INPUT_GO_SAST_ENABLED" -e "INPUT_GOLANG_SAST_ENABLED" -e "INPUT_JAVA_DISABLED_RULES" -e "INPUT_JAVA_ENABLED_RULES" -e "INPUT_JAVA_SAST_ENABLED" -e "INPUT_JAVASCRIPT_DISABLED_RULES" -e "INPUT_JAVASCRIPT_ENABLED_RULES" -e "INPUT_JIRA_API_TOKEN" -e "INPUT_JIRA_EMAIL" -e "INPUT_KOTLIN_DISABLED_RULES" -e "INPUT_KOTLIN_ENABLED_RULES" -e "INPUT_KOTLIN_SAST_ENABLED" -e "INPUT_MS_SENTINEL_KEY" -e "INPUT_MS_SENTINEL_WORKSPACE_ID" -e "INPUT_MSTEAMS_WEBHOOK_URL" -e "INPUT_NOTIFICATION_METHOD" -e "INPUT_PHP_DISABLED_RULES" -e "INPUT_PHP_ENABLED_RULES" -e "INPUT_PHP_SAST_ENABLED" -e "INPUT_PROJECT" -e "INPUT_PYTHON_DISABLED_RULES" -e "INPUT_PYTHON_ENABLED_RULES" -e "INPUT_RUBY_DISABLED_RULES" -e "INPUT_RUBY_ENABLED_RULES" -e "INPUT_RUBY_SAST_ENABLED" -e "INPUT_RUST_DISABLED_RULES" -e "INPUT_RUST_ENABLED_RULES" -e "INPUT_RUST_SAST_ENABLED" -e "INPUT_SCALA_DISABLED_RULES" -e "INPUT_SCALA_ENABLED_RULES" -e "INPUT_SCALA_SAST_ENABLED" -e "INPUT_SECRET_SCANNING_ENABLED" -e "INPUT_SERVER" -e "INPUT_SLACK_WEBHOOK_URL" -e "INPUT_SOCKET_ADDITIONAL_PARAMS" -e "INPUT_SOCKET_TIER_1_ENABLED" -e "INPUT_SUMOLOGIC_ENDPOINT" -e "INPUT_SWIFT_DISABLED_RULES" -e "INPUT_SWIFT_ENABLED_RULES" -e "INPUT_SWIFT_SAST_ENABLED" -e "INPUT_TRIVY_DISABLED_RULES" -e "INPUT_TRIVY_IMAGE_SCANNING_DISABLED" -e "INPUT_TRIVY_NOTIFICATION_METHOD" -e "INPUT_TRIVY_VULN_ENABLED" -e "INPUT_TRUFFLEHOG_EXCLUDE_DIR" -e "INPUT_WEBHOOK_URL" -e "INPUT_PR_COMMENT_LINKS_ENABLED" -e "INPUT_PR_COMMENT_COLLAPSE_ENABLED" -e "INPUT_PR_COMMENT_COLLAPSE_NON_CRITICAL" -e "INPUT_PR_COMMENT_CODE_FENCING_ENABLED" -e "INPUT_PR_COMMENT_SHOW_RULE_NAMES" -e "INPUT_PR_LABELS_ENABLED" -e "INPUT_PR_LABEL_CRITICAL" -e "INPUT_PR_LABEL_HIGH" -e "INPUT_PR_LABEL_MEDIUM" -e "GITHUB_TOKEN" -e "INPUT_CONTAINER_IMAGES_TO_SCAN" -e "INPUT_JIRA_PROJECT" -e "INPUT_JIRA_URL" -e "INPUT_TRUFFLEHOG_NOTIFICATION_METHOD" -e "SOCKET_ADDITIONAL_PARAMS" -e "SOCKET_TIER_1_ENABLED" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e "ACTIONS_ORCHESTRATION_ID" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp":"/github/runner_temp" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/socket-basics-custom-rules-test/socket-basics-custom-rules-test":"/github/workspace" 822d7e:5006d0a62f9940cd937cc34321a337c7
2026-04-12 17:21:55,231 - INFO - Initialized output file at .socket.facts.json
2026-04-12 17:21:55,273 - INFO - Configuration sources: environment defaults loaded
2026-04-12 17:21:55,273 - INFO - Socket API key detected - attempting to load dashboard configuration
2026-04-12 17:21:55,879 - INFO - Found organization '***' with plan: enterprise_2021_01
2026-04-12 17:21:56,292 - INFO - Retrieved Socket Basics config for enterprise organization '***'
2026-04-12 17:21:56,292 - INFO - Loaded Socket Basics API configuration (overrides environment defaults)
2026-04-12 17:21:56,292 - INFO - Effective custom SAST config: use_custom_sast_rules=True custom_sast_rule_path=custom_rules all_languages_enabled=True all_rules_enabled=False
2026-04-12 17:21:56,364 - INFO - Starting security scanning with dynamic connectors...
2026-04-12 17:21:56,448 - INFO - Successfully loaded connector: opengrep
2026-04-12 17:21:56,459 - INFO - Successfully loaded connector: trufflehog
2026-04-12 17:21:56,459 - INFO - Connector trufflehog is loaded but disabled by configuration
2026-04-12 17:21:56,459 - INFO - OpenGrep config summary: all_languages_enabled=True all_rules_enabled=False requested_rule_files=['python.yml', 'go.yml', 'javascript_typescript.yml', 'java.yml', 'ruby.yml', 'dotnet.yml', 'scala.yml', 'kotlin.yml', 'rust.yml', 'c_cpp.yml', 'php.yml', 'swift.yml', 'elixir.yml']
2026-04-12 17:21:56,459 - INFO - Custom SAST requested=True custom_path=custom_rules resolved_path=(none)
2026-04-12 17:21:56,460 - INFO - Per-language enabled-rule filters detected: {'python.yml': 4, 'go.yml': 7, 'javascript_typescript.yml': 4, 'java.yml': 12, 'ruby.yml': 9, 'dotnet.yml': 9, 'scala.yml': 7, 'kotlin.yml': 8, 'rust.yml': 6, 'c_cpp.yml': 10, 'php.yml': 9, 'swift.yml': 7, 'elixir.yml': 6}
2026-04-12 17:21:56,460 - INFO - Using bundled rules for python.yml from /socket-basics/socket_basics/rules/python.yml
2026-04-12 17:21:56,460 - INFO - Filtering rules for python.yml: 4 enabled IDs configured
2026-04-12 17:21:56,549 - INFO - Using bundled rules for go.yml from /socket-basics/socket_basics/rules/go.yml
2026-04-12 17:21:56,549 - INFO - Filtering rules for go.yml: 7 enabled IDs configured
2026-04-12 17:21:56,583 - INFO - Using bundled rules for javascript_typescript.yml from /socket-basics/socket_basics/rules/javascript_typescript.yml
2026-04-12 17:21:56,583 - INFO - Filtering rules for javascript_typescript.yml: 4 enabled IDs configured
2026-04-12 17:21:56,681 - INFO - Using bundled rules for java.yml from /socket-basics/socket_basics/rules/java.yml
2026-04-12 17:21:56,681 - INFO - Filtering rules for java.yml: 12 enabled IDs configured
2026-04-12 17:21:56,735 - INFO - Using bundled rules for ruby.yml from /socket-basics/socket_basics/rules/ruby.yml
2026-04-12 17:21:56,735 - INFO - Filtering rules for ruby.yml: 9 enabled IDs configured
2026-04-12 17:21:56,770 - INFO - Using bundled rules for dotnet.yml from /socket-basics/socket_basics/rules/dotnet.yml
2026-04-12 17:21:56,770 - INFO - Filtering rules for dotnet.yml: 9 enabled IDs configured
2026-04-12 17:21:56,821 - INFO - Using bundled rules for scala.yml from /socket-basics/socket_basics/rules/scala.yml
2026-04-12 17:21:56,821 - INFO - Filtering rules for scala.yml: 7 enabled IDs configured
2026-04-12 17:21:56,849 - INFO - Using bundled rules for kotlin.yml from /socket-basics/socket_basics/rules/kotlin.yml
2026-04-12 17:21:56,849 - INFO - Filtering rules for kotlin.yml: 8 enabled IDs configured
2026-04-12 17:21:56,883 - INFO - Using bundled rules for rust.yml from /socket-basics/socket_basics/rules/rust.yml
2026-04-12 17:21:56,883 - INFO - Filtering rules for rust.yml: 6 enabled IDs configured
2026-04-12 17:21:56,918 - INFO - Using bundled rules for c_cpp.yml from /socket-basics/socket_basics/rules/c_cpp.yml
2026-04-12 17:21:56,918 - INFO - Filtering rules for c_cpp.yml: 10 enabled IDs configured
2026-04-12 17:21:56,950 - INFO - Using bundled rules for php.yml from /socket-basics/socket_basics/rules/php.yml
2026-04-12 17:21:56,950 - INFO - Filtering rules for php.yml: 9 enabled IDs configured
2026-04-12 17:21:57,000 - INFO - Using bundled rules for swift.yml from /socket-basics/socket_basics/rules/swift.yml
2026-04-12 17:21:57,000 - INFO - Filtering rules for swift.yml: 7 enabled IDs configured
2026-04-12 17:21:57,035 - INFO - Using bundled rules for elixir.yml from /socket-basics/socket_basics/rules/elixir.yml
2026-04-12 17:21:57,035 - INFO - Filtering rules for elixir.yml: 6 enabled IDs configured
2026-04-12 17:21:57,059 - INFO - Running OpenGrep: opengrep --json --dataflow-traces --output /tmp/tmppqkxezn3.json --quiet --config /socket-basics/socket_basics/rules/python.yml --exclude-rule python-path-traversal-open --exclude-rule python-open-redirect --exclude-rule python-idor-vulnerability --exclude-rule python-missing-auth-check --exclude-rule python-weak-hash-md5 --exclude-rule python-weak-hash-sha1 --exclude-rule python-insecure-random --exclude-rule python-hardcoded-secret --exclude-rule python-weak-cipher-des --exclude-rule python-ssl-verify-disabled --exclude-rule python-insecure-tls-version --exclude-rule python-code-injection-eval --exclude-rule python-sql-injection --exclude-rule python-nosql-injection --exclude-rule python-command-injection --exclude-rule python-ldap-injection --exclude-rule python-xss-template --exclude-rule python-xxe-vulnerability --exclude-rule python-template-injection --exclude-rule python-yaml-load-unsafe --exclude-rule python-missing-rate-limit --exclude-rule python-missing-input-validation --exclude-rule python-debug-mode-enabled --exclude-rule python-weak-session-config --exclude-rule python-error-exposure --exclude-rule python-insecure-file-permissions --exclude-rule python-bind-all-interfaces --exclude-rule python-deprecated-functions --exclude-rule python-weak-password-validation --exclude-rule python-jwt-no-verify --exclude-rule python-weak-jwt-algorithm --exclude-rule python-plain-text-password --exclude-rule python-unsafe-deserialization --exclude-rule python-missing-integrity-check --exclude-rule python-sensitive-data-in-logs --exclude-rule python-missing-error-logging --exclude-rule python-ssrf-vulnerability --exclude-rule python-assert-used --exclude-rule python-bare-except --exclude-rule python-dangerous-eval-exec --exclude-rule python-sql-format-string --exclude-rule python-insecure-temp-file --exclude-rule python-regex-dos --exclude-rule python-unvalidated-file-upload --exclude-rule python-hardcoded-password-default --exclude-rule python-pickle-usage --exclude-rule python-md5-usage --exclude-rule python-sha1-usage --exclude-rule python-eval-usage --exclude-rule python-request-without-cert-validation --exclude-rule python-ssl-bad-version --exclude-rule python-paramiko-calls --exclude-rule python-subprocess-shell-true --exclude-rule python-start-process-with-shell --exclude-rule python-sql-injection-format --exclude-rule python-flask-debug-true --exclude-rule python-jinja2-autoescape-false --exclude-rule python-weak-random --exclude-rule python-tempfile-mktemp --config /socket-basics/socket_basics/rules/go.yml --exclude-rule go-error-not-checked --exclude-rule go-url-taint-input --exclude-rule go-integer-overflow-strconv --exclude-rule go-sql-string-concat --exclude-rule go-html-template-no-escape --exclude-rule go-command-execution --exclude-rule go-poor-mkdir-permissions --exclude-rule go-poor-chmod-permissions --exclude-rule go-predictable-temp-file --exclude-rule go-file-path-traversal --exclude-rule go-zip-traversal --exclude-rule go-weak-crypto-hash --exclude-rule go-bad-tls-connection --exclude-rule go-weak-rsa-key --exclude-rule go-weak-random --exclude-rule go-import-md5 --exclude-rule go-import-des --exclude-rule go-import-rc4 --exclude-rule go-import-cgi --exclude-rule go-import-sha1 --exclude-rule go-empty-password --exclude-rule go-sql-direct-concat --exclude-rule go-path-traversal-filepath-join --config /socket-basics/socket_basics/rules/javascript_typescript.yml --exclude-rule js-missing-auth-check --exclude-rule js-idor-vulnerability --exclude-rule js-path-traversal --exclude-rule js-open-redirect --exclude-rule js-cors-allow-all --exclude-rule js-weak-hash-md5 --exclude-rule js-weak-hash-sha1 --exclude-rule js-insecure-random --exclude-rule js-hardcoded-secret --exclude-rule js-weak-cipher --exclude-rule js-tls-reject-unauthorized-false --exclude-rule js-insecure-tls-version --exclude-rule js-insecure-protocol --exclude-rule js-code-injection-eval --exclude-rule js-sql-injection --exclude-rule js-nosql-injection --exclude-rule js-command-injection --exclude-rule js-ldap-injection --exclude-rule js-xss-innerhtml --exclude-rule js-dom-xss --exclude-rule js-xxe-vulnerability --exclude-rule js-template-injection --exclude-rule js-prototype-pollution --exclude-rule js-missing-rate-limit --exclude-rule js-missing-input-validation --exclude-rule js-predictable-resource --exclude-rule js-debug-mode-enabled --exclude-rule js-debugger-statement --exclude-rule js-weak-session-cookie --exclude-rule js-missing-helmet --exclude-rule js-error-stack-exposed --exclude-rule js-default-credentials --exclude-rule js-deprecated-crypto-api --exclude-rule js-unsafe-buffer --exclude-rule js-weak-password-validation --exclude-rule js-jwt-no-verify --exclude-rule js-weak-jwt-secret --exclude-rule js-session-fixation --exclude-rule js-unsafe-deserialization --exclude-rule js-missing-sri --exclude-rule js-insecure-auto-update --exclude-rule js-sensitive-data-in-logs --exclude-rule js-missing-error-logging --exclude-rule js-ssrf-vulnerability --exclude-rule js-unsafe-type-coercion --exclude-rule js-missing-await --exclude-rule js-unhandled-promise-rejection --exclude-rule js-regex-dos --exclude-rule js-parseint-missing-radix --exclude-rule js-react-dangerous-html --exclude-rule js-react-missing-key --exclude-rule js-express-async-no-error-handler --exclude-rule js-express-trust-proxy-not-set --exclude-rule js-nextjs-gsp-no-error-handling --exclude-rule js-unsafe-file-operations --exclude-rule js-unsafe-process-spawn --exclude-rule js-timing-attack --exclude-rule js-unvalidated-file-upload --exclude-rule js-zip-bomb --config /socket-basics/socket_basics/rules/java.yml --exclude-rule java-reflection-injection --exclude-rule java-insecure-random --exclude-rule java-path-traversal --exclude-rule java-weak-cipher --exclude-rule java-insecure-http --exclude-rule java-weak-key-generation --exclude-rule java-unvalidated-redirect --exclude-rule java-insecure-cookie --exclude-rule java-system-out-usage --exclude-rule java-empty-catch-block --exclude-rule java-hardcoded-ip --exclude-rule java-spring-security-bypass --exclude-rule java-jpa-sql-injection --exclude-rule java-struts-ognl-injection --exclude-rule java-android-webview-js-enabled --exclude-rule java-android-external-storage --exclude-rule java-template-injection --exclude-rule java-file-upload-no-validation --config /socket-basics/socket_basics/rules/ruby.yml --exclude-rule ruby-dynamic-method-definition --exclude-rule ruby-path-traversal --exclude-rule ruby-open-redirect --exclude-rule ruby-xss-raw-output --exclude-rule ruby-weak-crypto --exclude-rule ruby-insecure-random --exclude-rule ruby-weak-cipher --exclude-rule ruby-mass-assignment --exclude-rule ruby-csrf-bypass --exclude-rule ruby-insecure-http --exclude-rule ruby-debug-info-disclosure --exclude-rule ruby-hardcoded-ip --exclude-rule ruby-empty-rescue --exclude-rule ruby-rails-where-injection --exclude-rule ruby-template-injection --exclude-rule ruby-file-upload-no-validation --exclude-rule ruby-dangerous-file-permissions --config /socket-basics/socket_basics/rules/dotnet.yml --exclude-rule dotnet-weak-crypto-md5 --exclude-rule dotnet-weak-crypto-sha1 --exclude-rule dotnet-xss-response-write --exclude-rule dotnet-path-traversal --exclude-rule dotnet-insecure-random --exclude-rule dotnet-weak-cipher --exclude-rule dotnet-insecure-http --exclude-rule dotnet-weak-key-size --exclude-rule dotnet-insecure-cookie --exclude-rule dotnet-open-redirect --exclude-rule dotnet-debug-info-disclosure --exclude-rule dotnet-empty-catch-block --exclude-rule dotnet-hardcoded-ip --exclude-rule dotnet-aspnet-validaterequest-false --exclude-rule dotnet-aspnet-viewstate-mac-disabled --exclude-rule dotnet-aspnetcore-auth-bypass --exclude-rule dotnet-ef-sql-injection --exclude-rule dotnet-wcf-insecure-binding --exclude-rule dotnet-jwt-no-verification --exclude-rule dotnet-broken-access-control --exclude-rule dotnet-crypto-failures --exclude-rule dotnet-insecure-design-session --exclude-rule dotnet-security-misconfiguration --exclude-rule dotnet-vulnerable-components --exclude-rule dotnet-auth-failures --exclude-rule dotnet-integrity-failures --exclude-rule dotnet-logging-failures --exclude-rule dotnet-ssrf --exclude-rule dotnet-unsafe-code --exclude-rule dotnet-double-check-locking --exclude-rule dotnet-reflection-security --config /socket-basics/socket_basics/rules/scala.yml --exclude-rule scala-zip-slip --exclude-rule scala-weak-crypto-md5 --exclude-rule scala-weak-crypto-sha1 --exclude-rule scala-path-traversal --exclude-rule scala-xss-template --exclude-rule scala-insecure-random --exclude-rule scala-insecure-http --exclude-rule scala-open-redirect --exclude-rule scala-weak-cipher --exclude-rule scala-debug-info-disclosure --exclude-rule scala-hardcoded-ip --exclude-rule scala-play-csrf-bypass --exclude-rule scala-akka-http-security --exclude-rule scala-json-injection --exclude-rule scala-file-upload-no-validation --config /socket-basics/socket_basics/rules/kotlin.yml --exclude-rule kotlin-weak-crypto-md5 --exclude-rule kotlin-weak-crypto-sha1 --exclude-rule kotlin-path-traversal --exclude-rule kotlin-xss --exclude-rule kotlin-insecure-random --exclude-rule kotlin-insecure-http --exclude-rule kotlin-open-redirect --exclude-rule kotlin-weak-cipher --exclude-rule kotlin-debug-info-disclosure --exclude-rule kotlin-hardcoded-ip --exclude-rule kotlin-android-webview-js --exclude-rule kotlin-android-external-storage --exclude-rule kotlin-android-intent-user-input --exclude-rule kotlin-android-exported-component --exclude-rule kotlin-android-dangerous-permissions --exclude-rule kotlin-spring-security-bypass --exclude-rule kotlin-jpa-query-injection --exclude-rule kotlin-jwt-no-verification --exclude-rule kotlin-template-injection --exclude-rule kotlin-file-upload-no-validation --config /socket-basics/socket_basics/rules/rust.yml --exclude-rule rust-unsafe-usage --exclude-rule rust-weak-crypto-md5 --exclude-rule rust-weak-crypto-sha1 --exclude-rule rust-path-traversal --exclude-rule rust-panic-in-production --exclude-rule rust-insecure-random --exclude-rule rust-insecure-http --exclude-rule rust-weak-cipher --exclude-rule rust-integer-overflow --exclude-rule rust-debug-info-disclosure --exclude-rule rust-hardcoded-ip --exclude-rule rust-development-code --exclude-rule rust-actix-security --exclude-rule rust-warp-security --exclude-rule rust-rocket-security --exclude-rule rust-diesel-injection --exclude-rule rust-tokio-security --exclude-rule rust-serde-security --exclude-rule rust-memory-safety --exclude-rule rust-file-permissions --exclude-rule rust-env-injection --config /socket-basics/socket_basics/rules/c_cpp.yml --exclude-rule c-memory-management --exclude-rule c-integer-overflow --exclude-rule c-null-pointer-dereference --exclude-rule c-race-condition --exclude-rule c-weak-random --exclude-rule c-insecure-file-permissions --exclude-rule c-insecure-temp-file --exclude-rule c-signal-handling --exclude-rule c-hardcoded-ip --exclude-rule c-debug-info --exclude-rule cpp-exception-safety --exclude-rule cpp-iterator-invalidation --exclude-rule cpp-resource-leak --exclude-rule c-socket-security --exclude-rule c-buffer-size --exclude-rule c-input-validation --config /socket-basics/socket_basics/rules/php.yml --exclude-rule php-preg-replace-e-modifier --exclude-rule php-xss --exclude-rule php-open-redirect --exclude-rule php-weak-crypto --exclude-rule php-insecure-file-permissions --exclude-rule php-session-security --exclude-rule php-csrf-vulnerability --exclude-rule php-insecure-http --exclude-rule php-insecure-random --exclude-rule php-debug-info-disclosure --exclude-rule php-hardcoded-ip --exclude-rule php-error-suppression --exclude-rule php-laravel-security --exclude-rule php-symfony-security --exclude-rule php-wordpress-security --exclude-rule php-codeigniter-security --exclude-rule php-file-upload-vulnerability --exclude-rule php-email-injection --exclude-rule php-type-juggling --exclude-rule php-insecure-direct-object-reference --exclude-rule php-prepared-statement-injection --exclude-rule php-regex-injection --exclude-rule php-insecure-cookie --exclude-rule php-information-disclosure-errors --config /socket-basics/socket_basics/rules/swift.yml --exclude-rule swift-weak-crypto-md5 --exclude-rule swift-weak-crypto-sha1 --exclude-rule swift-path-traversal --exclude-rule swift-webview-xss --exclude-rule swift-insecure-random --exclude-rule swift-insecure-http --exclude-rule swift-open-redirect --exclude-rule swift-weak-cipher --exclude-rule swift-keychain-insecure --exclude-rule swift-debug-info-disclosure --exclude-rule swift-hardcoded-ip --exclude-rule swift-force-unwrapping --exclude-rule swift-ios-ats-bypass --exclude-rule swift-ios-insecure-storage --exclude-rule swift-ios-jailbreak-detection --exclude-rule swift-ios-url-scheme --exclude-rule swift-ios-biometric-bypass --exclude-rule swift-macos-privilege-escalation --exclude-rule swift-macos-code-signing --exclude-rule swift-core-data-injection --exclude-rule swift-swiftui-security --exclude-rule swift-alamofire-security --config /socket-basics/socket_basics/rules/elixir.yml --exclude-rule elixir-weak-crypto --exclude-rule elixir-path-traversal --exclude-rule elixir-xss --exclude-rule elixir-open-redirect --exclude-rule elixir-insecure-random --exclude-rule elixir-insecure-http --exclude-rule elixir-weak-session --exclude-rule elixir-csrf-bypass --exclude-rule elixir-debug-info-disclosure --exclude-rule elixir-hardcoded-ip --exclude-rule elixir-phoenix-xss --exclude-rule elixir-phoenix-insecure-routes --exclude-rule elixir-phoenix-file-upload /github/workspace
2026-04-12 17:22:02,257 - INFO - Connector opengrep completed successfully
2026-04-12 17:22:02,259 - INFO - Results saved to: /github/workspace/.socket.facts.json
2026-04-12 17:22:02,259 - INFO - Submitting socket facts file to Socket API for organization: ***
2026-04-12 17:22:02,603 - INFO - Scan completed!
2026-04-12 17:22:02,603 - INFO - Components analyzed: 8
2026-04-12 17:22:02,603 - INFO - Total alerts: 7
2026-04-12 17:22:02,603 - WARNING - Found 7 high/critical severity issues
2026-04-12 17:22:02,646 - INFO - Loaded notifier: webhook (socket_basics.core.notification.webhook_notifier) - enabled via app_config:webhook_url
2026-04-12 17:22:02,646 - INFO - GitHub PR notifier will be enabled - token detected
2026-04-12 17:22:02,649 - INFO - Loaded notifier: github_pr (socket_basics.core.notification.github_pr_notifier) - enabled via env:GITHUB_TOKEN or INPUT_GITHUB_TOKEN
2026-04-12 17:22:02,743 - WARNING - WebhookNotifier: HTTP error 404: <!DOCTYPE html>
<html class="h-full" lang="en-US" dir="ltr">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="preload" href="
2026-04-12 17:22:02,875 - WARNING - WebhookNotifier: HTTP error 404: <!DOCTYPE html>
<html class="h-full" lang="en-US" dir="ltr">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="preload" href="
2026-04-12 17:22:02,876 - INFO - GithubPRNotifier: Using PR number from environment: 6
2026-04-12 17:22:03,576 - INFO - GithubPRNotifier: posted individual comment for section
2026-04-12 17:22:04,060 - INFO - GithubPRNotifier: posted individual comment for section
2026-04-12 17:22:04,657 - INFO - GithubPRNotifier: added labels to PR 6: security: critical