fix(scan): respect projectIgnorePaths from socket.yml (#1225)

jdalton · web-flow · commit 4c26d1d7c341 · 2026-04-17T19:38:39.000-04:00
Backport of v1.x #1137 to main. `socket scan create`, `socket scan reach`, and `socket fix` (coana path) now honor the `projectIgnorePaths` list from socket.yml when collecting files. The underlying glob infrastructure (`globWithGitIgnore`) and `getPackageFilesForScan` already accepted a `config` option on main — we just weren't feeding socket.yml into it from these three callers. Changes: * `handle-create-new-scan.mts`: load socket.yml via `findSocketYmlSync` and pass through as `config` to `getPackageFilesForScan`. * `handle-scan-reach.mts`: same. * `coana-fix.mts`: same. * `test/unit/commands/fix/handle-fix-limit.test.mts`: mock for `@socketsecurity/lib/fs` now also returns `safeReadFileSync` since `findSocketYmlSync` calls it; the no-op returns `undefined` so the test treats socket.yml as absent.
diff --git a/packages/cli/src/commands/fix/coana-fix.mts b/packages/cli/src/commands/fix/coana-fix.mts
@@ -29,6 +29,7 @@ import {
 import { FLAG_DRY_RUN } from '../../constants/cli.mts'
 import { GQL_PR_STATE_OPEN } from '../../constants/github.mts'
 import { DOT_SOCKET_DOT_FACTS_JSON } from '../../constants/paths.mts'
+import { findSocketYmlSync } from '../../utils/config.mts'
 import { spawnCoanaDlx } from '../../utils/dlx/spawn.mjs'
 import { getErrorCause } from '../../utils/error/errors.mjs'
 import { getPackageFilesForScan } from '../../utils/fs/path-resolve.mjs'
@@ -121,7 +122,15 @@ export async function coanaFix(
   }
 
   const supportedFiles = supportedFilesCResult.data
+
+  // Load socket.yml so projectIgnorePaths is respected when collecting files.
+  const socketYmlResult = findSocketYmlSync(cwd)
+  const socketConfig = socketYmlResult.ok
+    ? socketYmlResult.data?.parsed
+    : undefined
+
   const scanFilepaths = await getPackageFilesForScan(['.'], supportedFiles, {
+    config: socketConfig,
     cwd,
   })
 
diff --git a/packages/cli/src/commands/scan/handle-create-new-scan.mts b/packages/cli/src/commands/scan/handle-create-new-scan.mts
@@ -31,6 +31,7 @@ import { runSocketBasics } from '../../utils/basics/spawn.mts'
 function excludeFactsJson(paths: string[]): string[] {
   return paths.filter(p => path.basename(p) !== DOT_SOCKET_DOT_FACTS_JSON)
 }
+import { findSocketYmlSync } from '../../utils/config.mts'
 import { getPackageFilesForScan } from '../../utils/fs/path-resolve.mts'
 import { readOrDefaultSocketJson } from '../../utils/socket/json.mts'
 import { socketDocsLink } from '../../utils/terminal/link.mts'
@@ -149,7 +150,15 @@ export async function handleCreateNewScan({
   spinner.start('Searching for local files to include in scan...')
 
   const supportedFiles = supportedFilesCResult.data
+
+  // Load socket.yml so projectIgnorePaths is respected when collecting files.
+  const socketYmlResult = findSocketYmlSync(cwd)
+  const socketConfig = socketYmlResult.ok
+    ? socketYmlResult.data?.parsed
+    : undefined
+
   const packagePaths = await getPackageFilesForScan(targets, supportedFiles, {
+    config: socketConfig,
     cwd,
   })
 
diff --git a/packages/cli/src/commands/scan/handle-scan-reach.mts b/packages/cli/src/commands/scan/handle-scan-reach.mts
@@ -7,6 +7,7 @@ const logger = getDefaultLogger()
 import { fetchSupportedScanFileNames } from './fetch-supported-scan-file-names.mts'
 import { outputScanReach } from './output-scan-reach.mts'
 import { performReachabilityAnalysis } from './perform-reachability-analysis.mts'
+import { findSocketYmlSync } from '../../utils/config.mts'
 import { getPackageFilesForScan } from '../../utils/fs/path-resolve.mts'
 import { checkCommandInput } from '../../utils/validation/check-input.mts'
 
@@ -49,7 +50,15 @@ export async function handleScanReach({
   )
 
   const supportedFiles = supportedFilesCResult.data
+
+  // Load socket.yml so projectIgnorePaths is respected when collecting files.
+  const socketYmlResult = findSocketYmlSync(cwd)
+  const socketConfig = socketYmlResult.ok
+    ? socketYmlResult.data?.parsed
+    : undefined
+
   const packagePaths = await getPackageFilesForScan(targets, supportedFiles, {
+    config: socketConfig,
     cwd,
   })
 
diff --git a/packages/cli/test/unit/commands/fix/handle-fix-limit.test.mts b/packages/cli/test/unit/commands/fix/handle-fix-limit.test.mts
@@ -113,6 +113,8 @@ vi.mock('../../../../src/commands/fix/pr-lifecycle-logger.mts', () => ({
 
 vi.mock('@socketsecurity/lib/fs', () => ({
   readJsonSync: mockReadJsonSync,
+  // Return undefined so findSocketYmlSync treats socket.yml as absent.
+  safeReadFileSync: vi.fn(() => undefined),
 }))
 
 vi.mock('node:fs', () => ({
