fix(scan create): detect --default-branch=<name> misuse

jdalton · jdalton · commit 50d4d2b5a610 · 2026-04-17T20:07:08.000-04:00
`--default-branch` is a boolean meow flag, so
`--default-branch=main` silently becomes `defaultBranch=true` with
the `"main"` portion discarded. Users with that (reasonable)
intuition ended up with scans that weren't tagged with any branch
name and didn't show up in the Main/PR dashboard tabs.

Pre-flight check in `run()` scans the raw argv for
`--default-branch=&lt;value&gt;`. Values that coerce to boolean
(`true` / `false`, any case) are let through; anything else is
treated as a misuse and fails with:

    ✗ "--default-branch=main" looks like you meant the branch name "main".
    --default-branch is a boolean flag; pass the branch name with --branch instead:
      socket scan create --branch main --default-branch

Exits with code 2 (invalid usage), consistent with other flag
validation failures in this command.

Added tests:
  * misuse form with a branch-name value is caught and logged
  * explicit `--default-branch=true|false|TRUE` all pass through
  * bare `--default-branch` with paired `--branch main` flows through
diff --git a/packages/cli/src/commands/scan/cmd-scan-create.mts b/packages/cli/src/commands/scan/cmd-scan-create.mts
@@ -208,6 +208,38 @@ export const cmdScanCreate = {
   run,
 }
 
+/**
+ * Detect `--default-branch=<non-bool-string>` in raw argv.
+ *
+ * The flag is declared as a boolean, so meow/yargs-parser treats the
+ * `=<value>` portion as truthy and discards the actual string. Users
+ * who type `--default-branch=main` (reasonable intuition — "set my
+ * default branch to main") end up with a scan that isn't tagged with
+ * any branch and doesn't appear in the Main/PR dashboard tabs.
+ *
+ * Returns the discarded value so callers can surface it in the error
+ * message, or `undefined` if no misuse is present.
+ *
+ * Values that coerce cleanly to boolean (`true`, `false`, case-insensitive)
+ * are accepted — those are legitimate, explicit ways to set the flag.
+ */
+function findDefaultBranchValueMisuse(
+  argv: readonly string[],
+): string | undefined {
+  for (const arg of argv) {
+    if (!arg.startsWith('--default-branch=')) {
+      continue
+    }
+    const value = arg.slice('--default-branch='.length)
+    const normalized = value.toLowerCase()
+    if (normalized === 'true' || normalized === 'false' || value === '') {
+      continue
+    }
+    return value
+  }
+  return undefined
+}
+
 async function run(
   argv: string[] | readonly string[],
   importMeta: ImportMeta,
@@ -272,6 +304,21 @@ async function run(
   `,
   }
 
+  // Detect the common `--default-branch=main` misuse before meow parses.
+  // `--default-branch` is a boolean — meow/yargs-parser treats
+  // `--default-branch=main` as `defaultBranch=true` and silently drops
+  // the "main" portion, so the user's scan gets tagged without the
+  // intended branch name and doesn't appear in the Main/PR dashboard
+  // tabs. Fail fast with a suggestion toward the correct form.
+  const defaultBranchMisuse = findDefaultBranchValueMisuse(argv)
+  if (defaultBranchMisuse) {
+    logger.fail(
+      `"--default-branch=${defaultBranchMisuse}" looks like you meant the branch name "${defaultBranchMisuse}".\n--default-branch is a boolean flag; pass the branch name with --branch instead:\n  socket scan create --branch ${defaultBranchMisuse} --default-branch`,
+    )
+    process.exitCode = 2
+    return
+  }
+
   const cli = meowOrExit({
     argv,
     config,
diff --git a/packages/cli/test/unit/commands/scan/cmd-scan-create.test.mts b/packages/cli/test/unit/commands/scan/cmd-scan-create.test.mts
@@ -1366,5 +1366,63 @@ describe('cmd-scan-create', () => {
         expect(mockHandleCreateNewScan).not.toHaveBeenCalled()
       })
     })
+
+    describe('--default-branch misuse detection', () => {
+      // --default-branch is a boolean flag; meow silently discards the
+      // `=<value>` portion on `--default-branch=<name>`. Catch that
+      // pattern before meow parses so users get a clear error pointing
+      // at the right shape (`--branch <name> --default-branch`).
+      it('fails when --default-branch=<name> is passed with a branch name', async () => {
+        await cmdScanCreate.run(
+          ['--org', 'test-org', '--default-branch=main', '.'],
+          importMeta,
+          context,
+        )
+
+        expect(process.exitCode).toBe(2)
+        expect(mockHandleCreateNewScan).not.toHaveBeenCalled()
+        expect(mockLogger.fail).toHaveBeenCalledWith(
+          expect.stringContaining(
+            '"--default-branch=main" looks like you meant the branch name "main"',
+          ),
+        )
+        expect(mockLogger.fail).toHaveBeenCalledWith(
+          expect.stringContaining('--branch main --default-branch'),
+        )
+      })
+
+      it.each(['--default-branch=true', '--default-branch=false', '--default-branch=TRUE'])(
+        'allows %s (explicit boolean form)',
+        async arg => {
+          mockHasDefaultApiToken.mockReturnValueOnce(true)
+
+          await cmdScanCreate.run(
+            ['--org', 'test-org', '--branch', 'main', arg, '.', '--no-interactive'],
+            importMeta,
+            context,
+          )
+
+          // Didn't short-circuit on misuse detection; meow parsed the flag
+          // normally and the command flowed through to handleCreateNewScan.
+          expect(mockLogger.fail).not.toHaveBeenCalledWith(
+            expect.stringContaining('looks like you meant the branch name'),
+          )
+        },
+      )
+
+      it('allows bare --default-branch (default truthy form)', async () => {
+        mockHasDefaultApiToken.mockReturnValueOnce(true)
+
+        await cmdScanCreate.run(
+          ['--org', 'test-org', '--branch', 'main', '--default-branch', '.', '--no-interactive'],
+          importMeta,
+          context,
+        )
+
+        expect(mockLogger.fail).not.toHaveBeenCalledWith(
+          expect.stringContaining('looks like you meant the branch name'),
+        )
+      })
+    })
   })
 })
