add --reach-version and --fix-version flags to override the default Coana version

CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.40](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.40) - 2025-12-01
+
+### Added
+- Added `--reach-version` flag to `socket scan create` and `socket scan reach` to override the @coana-tech/cli version used for reachability analysis.
+- Added `--fix-version` flag to `socket fix` to override the @coana-tech/cli version used for fix analysis.
+
 ## [1.1.39](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.39) - 2025-12-01
 
 ### Added

package.json

@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "1.1.39",
+  "version": "1.1.40",
   "description": "CLI for Socket.dev",
   "homepage": "https://github.com/SocketDev/socket-cli",
   "license": "MIT AND OFL-1.1",

src/commands/ci/handle-ci.mts

@@ -51,15 +51,16 @@ export async function handleCi(autoManifest: boolean): Promise<void> {
     pendingHead: true,
     pullRequest: 0,
     reach: {
-      reachAnalysisTimeout: 0,
       reachAnalysisMemoryLimit: 0,
+      reachAnalysisTimeout: 0,
       reachConcurrency: 1,
       reachDebug: false,
-      reachDisableAnalytics: false,
       reachDisableAnalysisSplitting: false,
+      reachDisableAnalytics: false,
       reachEcosystems: [],
       reachExcludePaths: [],
       reachSkipCache: false,
+      reachVersion: undefined,
       runReachabilityAnalysis: false,
     },
     repoName,

src/commands/fix/cmd-fix.integration.test.mts

@@ -167,6 +167,7 @@ describe('socket fix', async () => {
             --autopilot         Enable auto-merge for pull requests that Socket opens.
                                 See GitHub documentation (https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository) for managing auto-merge for pull requests in your repository.
             --exclude           Exclude workspaces matching these glob patterns. Can be provided as comma separated values or as multiple flags
+            --fix-version       Override the version of @coana-tech/cli used for fix analysis. Default: <coana-version>.
             --id                Provide a list of vulnerability identifiers to compute fixes for:
                                     - GHSA IDs (https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids) (e.g., GHSA-xxxx-xxxx-xxxx)
                                     - CVE IDs (https://cve.mitre.org/cve/identifiers/) (e.g., CVE-2025-1234) - automatically converted to GHSA

src/commands/fix/cmd-fix.mts

@@ -52,6 +52,10 @@ const generalFlags: MeowFlags = {
       'https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository',
     )} for managing auto-merge for pull requests in your repository.`,
   },
+  fixVersion: {
+    type: 'string',
+    description: `Override the version of @coana-tech/cli used for fix analysis. Default: ${constants.ENV.INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION}.`,
+  },
   applyFixes: {
     aliases: ['onlyCompute'],
     type: 'boolean',
@@ -258,6 +262,7 @@ async function run(
     applyFixes,
     autopilot,
     exclude,
+    fixVersion,
     include,
     json,
     limit,
@@ -276,6 +281,7 @@ async function run(
     applyFixes: boolean
     autopilot: boolean
     exclude: string[]
+    fixVersion: string | undefined
     include: string[]
     json: boolean
     limit: number
@@ -353,6 +359,7 @@ async function run(
   await handleFix({
     applyFixes,
     autopilot,
+    coanaVersion: fixVersion,
     cwd,
     disableMajorUpdates,
     exclude: excludePatterns,

src/commands/fix/coana-fix.mts

@@ -97,7 +97,7 @@ async function discoverGhsaIds(
       ...fixConfig.unknownFlags,
     ],
     orgSlug,
-    { cwd, spinner },
+    { coanaVersion: fixConfig.coanaVersion, cwd, spinner },
   )
 
   if (foundCResult.ok) {
@@ -115,6 +115,7 @@ export async function coanaFix(
   const {
     applyFixes,
     autopilot,
+    coanaVersion,
     cwd,
     disableMajorUpdates,
     exclude,
@@ -253,7 +254,7 @@ export async function coanaFix(
           ...fixConfig.unknownFlags,
         ],
         fixConfig.orgSlug,
-        { cwd, spinner, stdio: 'inherit' },
+        { coanaVersion, cwd, spinner, stdio: 'inherit' },
       )
 
       spinner?.stop()
@@ -374,7 +375,7 @@ export async function coanaFix(
         ...fixConfig.unknownFlags,
       ],
       fixConfig.orgSlug,
-      { cwd, spinner, stdio: 'inherit' },
+      { coanaVersion, cwd, spinner, stdio: 'inherit' },
     )
 
     if (!fixCResult.ok) {

src/commands/fix/handle-fix.mts

@@ -17,6 +17,7 @@ const CVE_FORMAT_REGEXP = /^CVE-\d{4}-\d{4,}$/
 export type HandleFixConfig = Remap<
   FixConfig & {
     applyFixes: boolean
+    coanaVersion?: string | undefined
     ghsas: string[]
     orgSlug: string
     outputKind: OutputKind
@@ -98,6 +99,7 @@ export async function convertIdsToGhsas(ids: string[]): Promise<string[]> {
 export async function handleFix({
   applyFixes,
   autopilot,
+  coanaVersion,
   cwd,
   disableMajorUpdates,
   exclude,
@@ -119,6 +121,7 @@ export async function handleFix({
   debugDir('inspect', {
     applyFixes,
     autopilot,
+    coanaVersion,
     cwd,
     disableMajorUpdates,
     exclude,
@@ -139,6 +142,7 @@ export async function handleFix({
     await coanaFix({
       applyFixes,
       autopilot,
+      coanaVersion,
       cwd,
       disableMajorUpdates,
       exclude,

src/commands/fix/types.mts

@@ -4,6 +4,7 @@ import type { Spinner } from '@socketsecurity/registry/lib/spinner'
 export type FixConfig = {
   applyFixes: boolean
   autopilot: boolean
+  coanaVersion: string | undefined
   cwd: string
   disableMajorUpdates: boolean
   exclude: string[]

src/commands/scan/cmd-scan-create.mts

@@ -244,15 +244,16 @@ async function run(
     reachDisableAnalysisSplitting,
     reachDisableAnalytics,
     reachSkipCache,
+    reachVersion,
     readOnly,
     reportLevel,
     setAsAlertsPage: pendingHeadFlag,
     tmp,
   } = cli.flags as {
-    cwd: string
     commitHash: string
     commitMessage: string
     committers: string
+    cwd: string
     defaultBranch: boolean
     interactive: boolean
     json: boolean
@@ -265,13 +266,14 @@ async function run(
     tmp: boolean
     // Reachability flags.
     reach: boolean
-    reachAnalysisTimeout: number
     reachAnalysisMemoryLimit: number
+    reachAnalysisTimeout: number
     reachConcurrency: number
     reachDebug: boolean
-    reachDisableAnalytics: boolean
     reachDisableAnalysisSplitting: boolean
+    reachDisableAnalytics: boolean
     reachSkipCache: boolean
+    reachVersion: string | undefined
   }
 
   // Validate ecosystem values.
@@ -444,15 +446,19 @@ async function run(
     reachDisableAnalytics !==
     reachabilityFlags['reachDisableAnalytics']?.default
 
+  const isUsingNonDefaultVersion =
+    reachVersion !== reachabilityFlags['reachVersion']?.default
+
   const isUsingAnyReachabilityFlags =
-    isUsingNonDefaultMemoryLimit ||
-    isUsingNonDefaultTimeout ||
-    isUsingNonDefaultConcurrency ||
-    isUsingNonDefaultAnalytics ||
     hasReachEcosystems ||
     hasReachExcludePaths ||
-    reachSkipCache ||
-    reachDisableAnalysisSplitting
+    isUsingNonDefaultAnalytics ||
+    isUsingNonDefaultConcurrency ||
+    isUsingNonDefaultMemoryLimit ||
+    isUsingNonDefaultTimeout ||
+    isUsingNonDefaultVersion ||
+    reachDisableAnalysisSplitting ||
+    reachSkipCache
 
   // Validate target constraints when --reach is enabled.
   const reachTargetValidation = reach
@@ -558,16 +564,17 @@ async function run(
     pendingHead: Boolean(pendingHead),
     pullRequest: Number(pullRequest),
     reach: {
-      runReachabilityAnalysis: Boolean(reach),
-      reachDisableAnalytics: Boolean(reachDisableAnalytics),
-      reachAnalysisTimeout: Number(reachAnalysisTimeout),
       reachAnalysisMemoryLimit: Number(reachAnalysisMemoryLimit),
+      reachAnalysisTimeout: Number(reachAnalysisTimeout),
       reachConcurrency: Number(reachConcurrency),
       reachDebug: Boolean(reachDebug),
       reachDisableAnalysisSplitting: Boolean(reachDisableAnalysisSplitting),
+      reachDisableAnalytics: Boolean(reachDisableAnalytics),
       reachEcosystems,
       reachExcludePaths,
       reachSkipCache: Boolean(reachSkipCache),
+      reachVersion,
+      runReachabilityAnalysis: Boolean(reach),
     },
     readOnly: Boolean(readOnly),
     repoName,

src/commands/scan/cmd-scan-create.test.mts

@@ -63,6 +63,7 @@ describe('socket scan create', async () => {
             --reach-ecosystems  List of ecosystems to conduct reachability analysis on, as either a comma separated value or as multiple flags. Defaults to all ecosystems.
             --reach-exclude-paths  List of paths to exclude from reachability analysis, as either a comma separated value or as multiple flags.
             --reach-skip-cache  Skip caching-based optimizations. By default, the reachability analysis will use cached configurations from previous runs to speed up the analysis.
+            --reach-version     Override the version of @coana-tech/cli used for reachability analysis. Default: <coana-version>.
 
           Uploads the specified dependency manifest files for Go, Gradle, JavaScript,
           Kotlin, Python, and Scala. Files like "package.json" and "requirements.txt".

src/commands/scan/cmd-scan-reach.mts

@@ -128,20 +128,22 @@ async function run(
     reachDisableAnalysisSplitting,
     reachDisableAnalytics,
     reachSkipCache,
+    reachVersion,
   } = cli.flags as {
     cwd: string
     interactive: boolean
     json: boolean
     markdown: boolean
     org: string
     output: string
-    reachAnalysisTimeout: number
     reachAnalysisMemoryLimit: number
+    reachAnalysisTimeout: number
     reachConcurrency: number
     reachDebug: boolean
-    reachDisableAnalytics: boolean
     reachDisableAnalysisSplitting: boolean
+    reachDisableAnalytics: boolean
     reachSkipCache: boolean
+    reachVersion: string | undefined
   }
 
   const dryRun = !!cli.flags['dryRun']
@@ -252,15 +254,16 @@ async function run(
     outputKind,
     outputPath: outputPath || '',
     reachabilityOptions: {
-      reachAnalysisTimeout: Number(reachAnalysisTimeout),
       reachAnalysisMemoryLimit: Number(reachAnalysisMemoryLimit),
+      reachAnalysisTimeout: Number(reachAnalysisTimeout),
       reachConcurrency: Number(reachConcurrency),
       reachDebug: Boolean(reachDebug),
-      reachDisableAnalytics: Boolean(reachDisableAnalytics),
       reachDisableAnalysisSplitting: Boolean(reachDisableAnalysisSplitting),
+      reachDisableAnalytics: Boolean(reachDisableAnalytics),
       reachEcosystems,
       reachExcludePaths,
       reachSkipCache: Boolean(reachSkipCache),
+      reachVersion,
     },
     targets,
   })

src/commands/scan/cmd-scan-reach.test.mts

@@ -46,6 +46,7 @@ describe('socket scan reach', async () => {
             --reach-ecosystems  List of ecosystems to conduct reachability analysis on, as either a comma separated value or as multiple flags. Defaults to all ecosystems.
             --reach-exclude-paths  List of paths to exclude from reachability analysis, as either a comma separated value or as multiple flags.
             --reach-skip-cache  Skip caching-based optimizations. By default, the reachability analysis will use cached configurations from previous runs to speed up the analysis.
+            --reach-version     Override the version of @coana-tech/cli used for reachability analysis. Default: <coana-version>.
 
           Runs the Socket reachability analysis without creating a scan in Socket.
           The output is written to .socket.facts.json in the current working directory

src/commands/scan/create-scan-from-github.mts

@@ -249,16 +249,17 @@ async function scanOneRepo(
     pendingHead: true,
     pullRequest: 0,
     reach: {
-      runReachabilityAnalysis: false,
-      reachDisableAnalytics: false,
-      reachAnalysisTimeout: 0,
       reachAnalysisMemoryLimit: 0,
+      reachAnalysisTimeout: 0,
       reachConcurrency: 1,
       reachDebug: false,
       reachDisableAnalysisSplitting: false,
+      reachDisableAnalytics: false,
       reachEcosystems: [],
       reachExcludePaths: [],
       reachSkipCache: false,
+      reachVersion: undefined,
+      runReachabilityAnalysis: false,
     },
     readOnly: false,
     repoName: repoSlug,

src/commands/scan/perform-reachability-analysis.mts

@@ -14,15 +14,16 @@ import type { PURL_Type } from '../../utils/ecosystem.mts'
 import type { Spinner } from '@socketsecurity/registry/lib/spinner'
 
 export type ReachabilityOptions = {
-  reachAnalysisTimeout: number
   reachAnalysisMemoryLimit: number
+  reachAnalysisTimeout: number
   reachConcurrency: number
   reachDebug: boolean
-  reachDisableAnalytics: boolean
   reachDisableAnalysisSplitting: boolean
+  reachDisableAnalytics: boolean
   reachEcosystems: PURL_Type[]
   reachExcludePaths: string[]
   reachSkipCache: boolean
+  reachVersion: string | undefined
 }
 
 export type ReachabilityAnalysisOptions = {
@@ -201,6 +202,7 @@ export async function performReachabilityAnalysis(
 
   // Run Coana with the manifests tar hash.
   const coanaResult = await spawnCoanaDlx(coanaArgs, orgSlug, {
+    coanaVersion: reachabilityOptions.reachVersion,
     cwd,
     env: coanaEnv,
     spinner,

src/commands/scan/reachability-flags.mts

@@ -1,6 +1,12 @@
+import constants from '../../constants.mts'
+
 import type { MeowFlags } from '../../flags.mts'
 
 export const reachabilityFlags: MeowFlags = {
+  reachVersion: {
+    type: 'string',
+    description: `Override the version of @coana-tech/cli used for reachability analysis. Default: ${constants.ENV.INLINED_SOCKET_CLI_COANA_TECH_CLI_VERSION}.`,
+  },
   reachAnalysisMemoryLimit: {
     type: 'number',
     default: 8192,