Doug/add node and socket back into container (#11)

* Added support for custom_rules and fixed the posting of the socket facts json file

* Updated default javascript rules

* Updated actions yaml and parameters with the new options

* Fixed the call to the Socket SDK for submitting the socket facts file

* Updated default JS ruleset

* Fix exclude logic

* Added the sast custom rules folder to default exclusion if used

* Added exclusions for *.test.yml and *.test.yaml for sast custom rules

* more fixes for excluding the custom rules folder

Author: dacoburn

.gitignore

@@ -28,6 +28,7 @@ file_generator.py
 *.md
 test_results
 local_tests/
+custom_rules/
 
 # Common Python ignores
 __pycache__/
@@ -99,4 +100,5 @@ logs/
 # Ignore output logs and generated src files
 *.log
 
-.python-version
+.python-version
+.socket.fact.json

Dockerfile

@@ -11,6 +11,13 @@ COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
 # Install system dependencies
 RUN apt-get update && apt-get install -y curl git wget
 
+# Install Node.js 22.x
+RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - && \
+    apt-get install -y nodejs
+
+# Install Socket CLI globally
+RUN npm install -g socket
+
 # Install Trivy
 RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.67.2
 
@@ -30,7 +37,7 @@ COPY uv.lock /socket-basics/uv.lock
 # Install Python dependencies using uv from the project root
 WORKDIR /socket-basics
 RUN pip install -e . && uv sync --frozen --no-dev
-ENV PATH="/socket-basics/.venv/bin:/root/.opengrep/cli/latest:$PATH"
+ENV PATH="/socket-basics/.venv/bin:/root/.opengrep/cli/latest:/usr/bin:$PATH"
 
 # Use socket-basics as the default entrypoint
 ENTRYPOINT ["socket-basics"]

README.md

@@ -27,7 +27,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Run Socket Basics
-        uses: SocketDev/[email protected].11
+        uses: SocketDev/[email protected].20
         env:
           GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
         with:
@@ -112,7 +112,7 @@ Configure scanning policies, notification channels, and rule sets for your entir
 
 **Dashboard-Configured (Enterprise):**
 ```yaml
-- uses: SocketDev/[email protected].11
+- uses: SocketDev/[email protected].20
   env:
     GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
   with:
@@ -123,7 +123,7 @@ Configure scanning policies, notification channels, and rule sets for your entir
 
 **CLI-Configured:**
 ```yaml
-- uses: SocketDev/[email protected].11
+- uses: SocketDev/[email protected].20
   env:
     GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
   with:
@@ -139,10 +139,10 @@ Configure scanning policies, notification channels, and rule sets for your entir
 
 ```bash
 # Build with version tag
-docker build -t socketdev/socket-basics:1.0.11 .
+docker build -t socketdev/socket-basics:1.0.20 .
 
 # Run scan
-docker run --rm -v "$PWD:/workspace" socketdev/socket-basics:1.0.11 \
+docker run --rm -v "$PWD:/workspace" socketdev/socket-basics:1.0.20 \
   --workspace /workspace \
   --python-sast-enabled \
   --secret-scanning-enabled \

action.yml

@@ -8,10 +8,12 @@ runs:
   env:
     # Core GitHub variables (these are automatically available, but we explicitly pass GITHUB_TOKEN)
     GITHUB_TOKEN: ${{ inputs.github_token }}
+    INPUT_WORKSPACE: ${{ inputs.workspace }}
     # Input mappings for all parameters
     INPUT_ALL_LANGUAGES_ENABLED: ${{ inputs.all_languages_enabled }}
     INPUT_ALL_RULES_ENABLED: ${{ inputs.all_rules_enabled }}
     INPUT_CONTAINER_IMAGES_TO_SCAN: ${{ inputs.container_images }}
+    INPUT_CUSTOM_SAST_RULE_PATH: ${{ inputs.custom_sast_rule_path }}
     INPUT_CPP_DISABLED_RULES: ${{ inputs.cpp_disabled_rules }}
     INPUT_CPP_ENABLED_RULES: ${{ inputs.cpp_enabled_rules }}
     INPUT_CPP_SAST_ENABLED: ${{ inputs.cpp_sast_enabled }}
@@ -81,11 +83,16 @@ runs:
     INPUT_TRUFFLEHOG_EXCLUDE_DIR: ${{ inputs.trufflehog_exclude_dir }}
     INPUT_TRUFFLEHOG_NOTIFICATION_METHOD: ${{ inputs.notification_method }}
     INPUT_TRUFFLEHOG_SHOW_UNVERIFIED: ${{ inputs.trufflehog_show_unverified }}
+    INPUT_USE_CUSTOM_SAST_RULES: ${{ inputs.use_custom_sast_rules }}
     INPUT_WEBHOOK_URL: ${{ inputs.webhook_url }}
     SOCKET_ADDITIONAL_PARAMS: ${{ inputs.socket_additional_params }}
     SOCKET_TIER_1_ENABLED: ${{ inputs.socket_tier_1_enabled }}
 
 inputs:
+  workspace:
+    description: "Workspace directory to scan (defaults to GITHUB_WORKSPACE)"
+    required: false
+    default: ""
   socket_org:
     description: "Socket organization slug (required for Enterprise features)"
     required: false
@@ -126,6 +133,10 @@ inputs:
     description: "Comma-separated list of container images to scan (auto-enables image scanning)"
     required: false
     default: ""
+  custom_sast_rule_path:
+    description: "Relative path to custom SAST rules directory (relative to workspace if set, otherwise cwd)"
+    required: false
+    default: "custom_rules"
   cpp_disabled_rules:
     description: "Comma-separated list of C++ SAST rules to disable"
     required: false
@@ -386,6 +397,10 @@ inputs:
     description: "Show unverified secrets in TruffleHog results"
     required: false
     default: "false"
+  use_custom_sast_rules:
+    description: "Use custom SAST rules instead of bundled rules (falls back to bundled rules for languages without custom rules)"
+    required: false
+    default: "false"
   webhook_url:
     description: "Generic webhook URL for WebhookNotifier"
     required: false

docs/github-action.md

@@ -38,7 +38,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Run Socket Basics
-        uses: SocketDev/[email protected].11
+        uses: SocketDev/[email protected].20
         env:
           GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
         with:
@@ -78,7 +78,7 @@ Include these in your workflow's `jobs.<job_id>.permissions` section.
 
 **SAST (Static Analysis):**
 ```yaml
-- uses: SocketDev/[email protected].11
+- uses: SocketDev/[email protected].20
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     # Enable SAST for specific languages
@@ -92,7 +92,7 @@ Include these in your workflow's `jobs.<job_id>.permissions` section.
 
 **Secret Scanning:**
 ```yaml
-- uses: SocketDev/[email protected].11
+- uses: SocketDev/[email protected].20
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     secret_scanning_enabled: 'true'
@@ -104,7 +104,7 @@ Include these in your workflow's `jobs.<job_id>.permissions` section.
 
 **Container Scanning:**
 ```yaml
-- uses: SocketDev/[email protected].11
+- uses: SocketDev/[email protected].20
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     # Scan Docker images (auto-enables container scanning)
@@ -115,7 +115,7 @@ Include these in your workflow's `jobs.<job_id>.permissions` section.
 
 **Socket Tier 1 Reachability:**
 ```yaml
-- uses: SocketDev/[email protected].11
+- uses: SocketDev/[email protected].20
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     socket_tier_1_enabled: 'true'
@@ -124,7 +124,7 @@ Include these in your workflow's `jobs.<job_id>.permissions` section.
 ### Output Configuration
 
 ```yaml
-- uses: SocketDev/[email protected].11
+- uses: SocketDev/[email protected].20
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     python_sast_enabled: 'true'
@@ -154,7 +154,7 @@ Configure Socket Basics centrally from the [Socket Dashboard](https://socket.dev
 
 **Enable in workflow:**
 ```yaml
-- uses: SocketDev/[email protected].11
+- uses: SocketDev/[email protected].20
   env:
     GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
   with:
@@ -166,7 +166,7 @@ Configure Socket Basics centrally from the [Socket Dashboard](https://socket.dev
 
 > **Note:** You can also pass credentials using environment variables instead of the `with:` section:
 > ```yaml
-> - uses: SocketDev/[email protected].11
+> - uses: SocketDev/[email protected].20
 >   env:
 >     SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}
 >   with:
@@ -184,7 +184,7 @@ All notification integrations require Socket Enterprise.
 
 **Slack Notifications:**
 ```yaml
-- uses: SocketDev/[email protected].11
+- uses: SocketDev/[email protected].20
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     socket_org: ${{ secrets.SOCKET_ORG }}
@@ -196,7 +196,7 @@ All notification integrations require Socket Enterprise.
 
 **Jira Issue Creation:**
 ```yaml
-- uses: SocketDev/[email protected].11
+- uses: SocketDev/[email protected].20
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     socket_org: ${{ secrets.SOCKET_ORG }}
@@ -211,7 +211,7 @@ All notification integrations require Socket Enterprise.
 
 **Microsoft Teams:**
 ```yaml
-- uses: SocketDev/[email protected].11
+- uses: SocketDev/[email protected].20
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     socket_org: ${{ secrets.SOCKET_ORG }}
@@ -223,7 +223,7 @@ All notification integrations require Socket Enterprise.
 
 **Generic Webhook:**
 ```yaml
-- uses: SocketDev/[email protected].11
+- uses: SocketDev/[email protected].20
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     socket_org: ${{ secrets.SOCKET_ORG }}
@@ -235,7 +235,7 @@ All notification integrations require Socket Enterprise.
 
 **SIEM Integration:**
 ```yaml
-- uses: SocketDev/[email protected].11
+- uses: SocketDev/[email protected].20
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     socket_org: ${{ secrets.SOCKET_ORG }}
@@ -271,7 +271,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       
       - name: Run Socket Basics
-        uses: SocketDev/[email protected].11
+        uses: SocketDev/[email protected].20
         env:
           GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
         with:
@@ -317,7 +317,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       
       - name: Run Full Security Scan
-        uses: SocketDev/[email protected].11
+        uses: SocketDev/[email protected].20
         env:
           GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
         with:
@@ -368,10 +368,10 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       
       - name: Build Docker Image
-        run: docker build -t myapp:1.0.11:${{ github.sha }} .
+        run: docker build -t myapp:1.0.20:${{ github.sha }} .
       
       - name: Scan Container
-        uses: SocketDev/[email protected].11
+        uses: SocketDev/[email protected].20
         env:
           GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
         with:
@@ -404,7 +404,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       
       - name: Run Socket Basics
-        uses: SocketDev/[email protected].11
+        uses: SocketDev/[email protected].20
         env:
           GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
         with:
@@ -497,7 +497,7 @@ env:
 ```yaml
 steps:
   - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - Must be first
-  - uses: SocketDev/[email protected].11
+  - uses: SocketDev/[email protected].20
 ```
 
 ### PR Comments Not Appearing