fix: custom SAST config normalization + precedence handling

lelia · lelia · commit 047aedf86c4f · 2026-04-09T22:37:56.000-04:00
Signed-off-by: lelia &lt;2418071+lelia@users.noreply.github.com&gt;
diff --git a/socket_basics/core/config.py b/socket_basics/core/config.py
@@ -897,6 +897,10 @@ def normalize_api_config(api_config: Dict[str, Any]) -> Dict[str, Any]:
         
         # OpenGrep/SAST Configuration
         'openGrepNotificationMethod': 'opengrep_notification_method',
+        'useCustomSastRules': 'use_custom_sast_rules',
+        'customSastRulePath': 'custom_sast_rule_path',
+        # Accept common pluralized variant for robustness.
+        'customSastRulesPath': 'custom_sast_rule_path',
         
         # Socket Tier 1
         'socketTier1Enabled': 'socket_tier_1_enabled',
@@ -1004,13 +1008,15 @@ def merge_json_and_env_config(json_config: Dict[str, Any] | None = None) -> Dict
     Returns:
         Merged configuration dictionary
     """
+    logger = logging.getLogger(__name__)
+
     # Start with environment defaults (lowest priority)
     config = load_config_from_env()
+    logger.info("Configuration sources: environment defaults loaded")
     
     # Override with Socket Basics API config if no explicit JSON config provided
     # API config takes precedence over environment defaults
     if not json_config:
-        logger = logging.getLogger(__name__)
         logger.debug(" No JSON config provided, attempting to load Socket Basics API config")
         socket_basics_config = load_socket_basics_config()
         logger.debug(f" Socket Basics API config result: {socket_basics_config is not None}")
@@ -1027,7 +1033,10 @@ def merge_json_and_env_config(json_config: Dict[str, Any] | None = None) -> Dict
                     continue
                 filtered_config[k] = v
             config.update(filtered_config)
-            logging.getLogger(__name__).info("Loaded Socket Basics API configuration (overrides environment defaults)")
+            if bool(filtered_config.get('socket_has_enterprise', False)):
+                logging.getLogger(__name__).info("Loaded Socket Basics API configuration (overrides environment defaults)")
+            else:
+                logging.getLogger(__name__).info("Loaded Socket plan metadata (free/non-enterprise mode; no dashboard overrides)")
         else:
             logger.debug(" No Socket Basics API config loaded")
     
@@ -1049,6 +1058,13 @@ def merge_json_and_env_config(json_config: Dict[str, Any] | None = None) -> Dict
     
     # Note: CLI arguments are handled separately and take highest priority
     # They override the config object after this merge completes
+    logger.info(
+        "Effective custom SAST config: use_custom_sast_rules=%s custom_sast_rule_path=%s all_languages_enabled=%s all_rules_enabled=%s",
+        bool(config.get('use_custom_sast_rules', False)),
+        config.get('custom_sast_rule_path', ''),
+        bool(config.get('all_languages_enabled', False)),
+        bool(config.get('all_rules_enabled', False)),
+    )
     
     return config
 
@@ -1087,9 +1103,9 @@ def add_dynamic_cli_args(parser: argparse.ArgumentParser):
                 if param_type == 'bool':
                     parser.add_argument(option, action='store_true', help=description)
                 elif param_type == 'str':
-                    parser.add_argument(option, type=str, default=default, help=description)
+                    parser.add_argument(option, type=str, default=None, help=description)
                 elif param_type == 'int':
-                    parser.add_argument(option, type=int, default=default, help=description)
+                    parser.add_argument(option, type=int, default=None, help=description)
                     
     except Exception as e:
         logging.getLogger(__name__).warning("Warning: Could not load dynamic CLI args: %s", e)
@@ -1116,9 +1132,9 @@ def add_dynamic_cli_args(parser: argparse.ArgumentParser):
                     if p_type == 'bool':
                         parser.add_argument(option, action='store_true', help=desc)
                     elif p_type == 'int':
-                        parser.add_argument(option, type=int, default=default, help=desc)
+                        parser.add_argument(option, type=int, default=None, help=desc)
                     else:
-                        parser.add_argument(option, type=str, default=default, help=desc)
+                        parser.add_argument(option, type=str, default=None, help=desc)
     except Exception:
         pass
 
@@ -1127,7 +1143,7 @@ def parse_cli_args():
     """Parse command line arguments and return argument parser"""
     parser = argparse.ArgumentParser(description='Socket Security Basics - Dynamic security scanning')
     parser.add_argument('--config', type=str, 
-                       help='Path to JSON configuration file. JSON config is merged with environment variables (environment takes precedence)')
+                       help='Path to JSON configuration file. JSON config is merged with environment variables (JSON takes precedence)')
     parser.add_argument('--output', type=str, default='.socket.facts.json', 
                        help='Output file name (default: .socket.facts.json)')
     parser.add_argument('--workspace', type=str, help='Workspace directory to scan')
diff --git a/tests/test_config_custom_sast.py b/tests/test_config_custom_sast.py
@@ -0,0 +1,69 @@
+from socket_basics.core import config as config_module
+from socket_basics.core.config import (
+    create_config_from_args,
+    merge_json_and_env_config,
+    normalize_api_config,
+    parse_cli_args,
+)
+
+
+def test_normalize_api_config_maps_custom_sast_keys():
+    normalized = normalize_api_config(
+        {
+            "useCustomSastRules": True,
+            "customSastRulePath": ".socket/rules",
+        }
+    )
+
+    assert normalized["use_custom_sast_rules"] is True
+    assert normalized["custom_sast_rule_path"] == ".socket/rules"
+
+
+def test_normalize_api_config_maps_custom_sast_plural_path_alias():
+    normalized = normalize_api_config({"customSastRulesPath": "custom_rules"})
+    assert normalized["custom_sast_rule_path"] == "custom_rules"
+
+
+def test_merge_json_and_env_config_api_overrides_env_custom_sast(monkeypatch):
+    monkeypatch.setenv("INPUT_USE_CUSTOM_SAST_RULES", "true")
+    monkeypatch.setenv("INPUT_CUSTOM_SAST_RULE_PATH", ".socket/rules")
+
+    monkeypatch.setattr(
+        config_module,
+        "load_socket_basics_config",
+        lambda: {"useCustomSastRules": False, "customSastRulePath": "dashboard/rules"},
+    )
+
+    merged = merge_json_and_env_config()
+    assert merged["use_custom_sast_rules"] is False
+    assert merged["custom_sast_rule_path"] == "dashboard/rules"
+
+
+def test_merge_json_and_env_config_json_overrides_env_custom_sast(monkeypatch):
+    monkeypatch.setenv("INPUT_USE_CUSTOM_SAST_RULES", "false")
+    monkeypatch.setenv("INPUT_CUSTOM_SAST_RULE_PATH", "custom_rules")
+
+    merged = merge_json_and_env_config(
+        {"useCustomSastRules": True, "customSastRulePath": ".socket/rules"}
+    )
+    assert merged["use_custom_sast_rules"] is True
+    assert merged["custom_sast_rule_path"] == ".socket/rules"
+
+
+def test_create_config_from_args_does_not_override_env_custom_path(monkeypatch):
+    monkeypatch.setenv("INPUT_USE_CUSTOM_SAST_RULES", "true")
+    monkeypatch.setenv("INPUT_CUSTOM_SAST_RULE_PATH", ".socket/rules")
+
+    monkeypatch.setattr(config_module, "_discover_repository", lambda *args, **kwargs: "repo")
+    monkeypatch.setattr(config_module, "_discover_branch", lambda *args, **kwargs: "branch")
+    monkeypatch.setattr(config_module, "_discover_commit_hash", lambda *args, **kwargs: "commit")
+    monkeypatch.setattr(config_module, "_discover_is_default_branch", lambda *args, **kwargs: False)
+    monkeypatch.setattr(config_module, "_discover_pull_request", lambda *args, **kwargs: 0)
+    monkeypatch.setattr(config_module, "_discover_committers", lambda *args, **kwargs: [])
+
+    parser = parse_cli_args()
+    args = parser.parse_args([])
+    config = create_config_from_args(args)
+
+    assert config.get("use_custom_sast_rules") is True
+    assert config.get("custom_sast_rule_path") == ".socket/rules"
