add legal presets, file-based compliance artifacts

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Author: lelia

socketsecurity/config.py

@@ -79,13 +79,16 @@ class CliConfig:
     enable_debug: bool = False
     allow_unverified: bool = False
     enable_json: bool = False
+    json_file: Optional[str] = None
     enable_sarif: bool = False
     sarif_file: Optional[str] = None
     sarif_scope: str = "diff"
     sarif_grouping: str = "instance"
     sarif_reachability: str = "all"
     enable_gitlab_security: bool = False
     gitlab_security_file: Optional[str] = None
+    summary_file: Optional[str] = None
+    report_link_file: Optional[str] = None
     disable_overview: bool = False
     disable_security_issue: bool = False
     files: str = None
@@ -132,6 +135,7 @@ class CliConfig:
     reach_use_only_pregenerated_sboms: bool = False
     max_purl_batch_size: int = 5000
     enable_commit_status: bool = False
+    legal: bool = False
     config_file: Optional[str] = None
 
     @classmethod
@@ -189,13 +193,16 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig':
             'enable_diff': args.enable_diff,
             'allow_unverified': args.allow_unverified,
             'enable_json': args.enable_json,
+            'json_file': args.json_file,
             'enable_sarif': args.enable_sarif,
             'sarif_file': args.sarif_file,
             'sarif_scope': args.sarif_scope,
             'sarif_grouping': args.sarif_grouping,
             'sarif_reachability': args.sarif_reachability,
             'enable_gitlab_security': args.enable_gitlab_security,
             'gitlab_security_file': args.gitlab_security_file,
+            'summary_file': args.summary_file,
+            'report_link_file': args.report_link_file,
             'disable_overview': args.disable_overview,
             'disable_security_issue': args.disable_security_issue,
             'files': args.files,
@@ -236,9 +243,23 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig':
             'reach_use_only_pregenerated_sboms': args.reach_use_only_pregenerated_sboms,
             'max_purl_batch_size': args.max_purl_batch_size,
             'enable_commit_status': args.enable_commit_status,
+            'legal': args.legal,
             'config_file': args.config_file,
             'version': __version__
         }
+
+        if args.legal:
+            config_args['generate_license'] = True
+            if not config_args['json_file']:
+                config_args['json_file'] = "socket-report.json"
+            if not config_args['summary_file']:
+                config_args['summary_file'] = "socket-summary.txt"
+            if not config_args['report_link_file']:
+                config_args['report_link_file'] = "socket-report-link.txt"
+            if not config_args['sbom_file']:
+                config_args['sbom_file'] = "socket-sbom.json"
+            if config_args['license_file_name'] == "license_output.json":
+                config_args['license_file_name'] = "socket-license.json"
         excluded_ecosystems = config_args["excluded_ecosystems"]
         if isinstance(excluded_ecosystems, list):
             config_args["excluded_ecosystems"] = excluded_ecosystems
@@ -560,6 +581,12 @@ def create_argument_parser() -> argparse.ArgumentParser:
         action="store_true",
         help="Output in JSON format"
     )
+    output_group.add_argument(
+        "--json-file",
+        dest="json_file",
+        metavar="<path>",
+        help="Output file path for JSON report"
+    )
     output_group.add_argument(
         "--enable-sarif",
         dest="enable_sarif",
@@ -607,6 +634,18 @@ def create_argument_parser() -> argparse.ArgumentParser:
         default="gl-dependency-scanning-report.json",
         help="Output file path for GitLab Security report (default: gl-dependency-scanning-report.json)"
     )
+    output_group.add_argument(
+        "--summary-file",
+        dest="summary_file",
+        metavar="<path>",
+        help="Output file path for a plain-text summary report"
+    )
+    output_group.add_argument(
+        "--report-link-file",
+        dest="report_link_file",
+        metavar="<path>",
+        help="Output file path for the Socket report link"
+    )
     output_group.add_argument(
         "--disable-overview",
         dest="disable_overview",
@@ -723,6 +762,12 @@ def create_argument_parser() -> argparse.ArgumentParser:
         action="store_true",
         help="Disable SSL certificate verification for API requests"
     )
+    advanced_group.add_argument(
+        "--legal",
+        dest="legal",
+        action="store_true",
+        help="Enable legal/compliance-friendly defaults and file outputs"
+    )
     config_group.add_argument(
         "--include-module-folders",
         dest="include_module_folders",

socketsecurity/output.py

@@ -90,6 +90,9 @@ def handle_output(self, diff_report: Diff) -> None:
             plugin_mgr = PluginManager({"slack": slack_config})
             plugin_mgr.send(diff_report, config=self.config)
 
+        self.save_json_file(diff_report, getattr(self.config, "json_file", None))
+        self.save_summary_file(diff_report, getattr(self.config, "summary_file", None))
+        self.save_report_link_file(diff_report, getattr(self.config, "report_link_file", None))
         self.save_sbom_file(diff_report, self.config.sbom_file)
 
     def return_exit_code(self, diff_report: Diff) -> int:
@@ -107,50 +110,15 @@ def return_exit_code(self, diff_report: Diff) -> int:
 
     def output_console_comments(self, diff_report: Diff, sbom_file_name: Optional[str] = None) -> None:
         """Outputs formatted console comments"""
-        selected_alerts = select_diff_alerts(diff_report, strict_blocking=self.config.strict_blocking)
-        has_new_alerts = len(selected_alerts) > 0
-        has_unchanged_alerts = (
-            self.config.strict_blocking and
-            hasattr(diff_report, 'unchanged_alerts') and
-            len(diff_report.unchanged_alerts) > 0
-        )
-
-        if not has_new_alerts and not has_unchanged_alerts:
-            self.logger.info("No issues found")
-            return
-
-        # Count blocking vs warning alerts
-        new_blocking = sum(1 for issue in diff_report.new_alerts if issue.error)
-        new_warning = sum(1 for issue in diff_report.new_alerts if issue.warn)
-
-        unchanged_blocking = 0
-        unchanged_warning = 0
-        if has_unchanged_alerts:
-            unchanged_blocking = sum(1 for issue in diff_report.unchanged_alerts if issue.error)
-            unchanged_warning = sum(1 for issue in diff_report.unchanged_alerts if issue.warn)
-
-        selected_diff = clone_diff_with_selected_alerts(diff_report, selected_alerts)
-        console_security_comment = Messages.create_console_security_alert_table(selected_diff)
-
-        # Build status message
-        self.logger.info("Security issues detected by Socket Security:")
-        if new_blocking > 0:
-            self.logger.info(f"  - NEW blocking issues: {new_blocking}")
-        if new_warning > 0:
-            self.logger.info(f"  - NEW warning issues: {new_warning}")
-        if unchanged_blocking > 0:
-            self.logger.info(f"  - EXISTING blocking issues: {unchanged_blocking} (causing failure due to --strict-blocking)")
-        if unchanged_warning > 0:
-            self.logger.info(f"  - EXISTING warning issues: {unchanged_warning}")
-
-        self.logger.info(f"Diff Url: {diff_report.diff_url}")
-        self.logger.info(f"\n{console_security_comment}")
+        summary_text = self.build_summary_text(diff_report)
+        for line in summary_text.splitlines():
+            self.logger.info(line)
+        if not summary_text.strip():
+            self.logger.info("")
 
     def output_console_json(self, diff_report: Diff, sbom_file_name: Optional[str] = None) -> None:
         """Outputs JSON formatted results"""
-        selected_alerts = select_diff_alerts(diff_report, strict_blocking=self.config.strict_blocking)
-        selected_diff = clone_diff_with_selected_alerts(diff_report, selected_alerts)
-        console_security_comment = Messages.create_security_comment_json(selected_diff)
+        console_security_comment = self.build_json_report(diff_report)
         self.save_sbom_file(diff_report, sbom_file_name)
         self.logger.info(json.dumps(console_security_comment))
 
@@ -249,11 +217,96 @@ def save_sbom_file(self, diff_report: Diff, sbom_file_name: Optional[str] = None
         if not sbom_file_name or not diff_report.sbom:
             return
 
-        sbom_path = Path(sbom_file_name)
-        sbom_path.parent.mkdir(parents=True, exist_ok=True)
+        self.write_json_file(sbom_file_name, diff_report.sbom)
 
-        with open(sbom_path, "w") as f:
-            json.dump(diff_report.sbom, f, indent=2)
+    def build_summary_text(self, diff_report: Diff) -> str:
+        """Render the console summary text for stdout and file output."""
+        selected_alerts = select_diff_alerts(diff_report, strict_blocking=self.config.strict_blocking)
+        has_new_alerts = len(selected_alerts) > 0
+        has_unchanged_alerts = (
+            self.config.strict_blocking and
+            hasattr(diff_report, 'unchanged_alerts') and
+            len(diff_report.unchanged_alerts) > 0
+        )
+
+        if not has_new_alerts and not has_unchanged_alerts:
+            return "No issues found"
+
+        new_blocking = sum(1 for issue in diff_report.new_alerts if issue.error)
+        new_warning = sum(1 for issue in diff_report.new_alerts if issue.warn)
+
+        unchanged_blocking = 0
+        unchanged_warning = 0
+        if has_unchanged_alerts:
+            unchanged_blocking = sum(1 for issue in diff_report.unchanged_alerts if issue.error)
+            unchanged_warning = sum(1 for issue in diff_report.unchanged_alerts if issue.warn)
+
+        selected_diff = clone_diff_with_selected_alerts(diff_report, selected_alerts)
+        console_security_comment = Messages.create_console_security_alert_table(selected_diff)
+
+        lines = ["Security issues detected by Socket Security:"]
+        if new_blocking > 0:
+            lines.append(f"  - NEW blocking issues: {new_blocking}")
+        if new_warning > 0:
+            lines.append(f"  - NEW warning issues: {new_warning}")
+        if unchanged_blocking > 0:
+            lines.append(
+                f"  - EXISTING blocking issues: {unchanged_blocking} (causing failure due to --strict-blocking)"
+            )
+        if unchanged_warning > 0:
+            lines.append(f"  - EXISTING warning issues: {unchanged_warning}")
+
+        report_link = getattr(diff_report, "report_url", "") or getattr(diff_report, "diff_url", "")
+        lines.append(f"Diff Url: {report_link}")
+        lines.append("")
+        lines.append(str(console_security_comment))
+        return "\n".join(lines)
+
+    def build_json_report(self, diff_report: Diff) -> dict:
+        """Build the JSON report payload for stdout and file output."""
+        selected_alerts = select_diff_alerts(diff_report, strict_blocking=self.config.strict_blocking)
+        selected_diff = clone_diff_with_selected_alerts(diff_report, selected_alerts)
+        report = Messages.create_security_comment_json(selected_diff)
+        legal_flag = getattr(self.config, "legal", False)
+        repo = getattr(self.config, "repo", None)
+        branch = getattr(self.config, "branch", None)
+        commit_sha = getattr(self.config, "commit_sha", None)
+        report["report_url"] = getattr(diff_report, "report_url", None)
+        report["repo"] = repo if isinstance(repo, str) or repo is None else None
+        report["branch"] = branch if isinstance(branch, str) or branch is None else None
+        report["commit_sha"] = commit_sha if isinstance(commit_sha, str) or commit_sha is None else None
+        report["legal_mode"] = legal_flag if isinstance(legal_flag, bool) else False
+        return report
+
+    def save_json_file(self, diff_report: Diff, json_file_name: Optional[str] = None) -> None:
+        if not json_file_name:
+            return
+        self.write_json_file(json_file_name, self.build_json_report(diff_report))
+
+    def save_summary_file(self, diff_report: Diff, summary_file_name: Optional[str] = None) -> None:
+        if not summary_file_name:
+            return
+        self.write_text_file(summary_file_name, self.build_summary_text(diff_report) + "\n")
+
+    def save_report_link_file(self, diff_report: Diff, report_link_file_name: Optional[str] = None) -> None:
+        if not report_link_file_name:
+            return
+        report_link = getattr(diff_report, "report_url", "") or getattr(diff_report, "diff_url", "")
+        if not report_link:
+            return
+        self.write_text_file(report_link_file_name, report_link + "\n")
+
+    def write_json_file(self, file_name: str, content: Any) -> None:
+        file_path = Path(file_name)
+        file_path.parent.mkdir(parents=True, exist_ok=True)
+        with open(file_path, "w") as f:
+            json.dump(content, f, indent=2)
+
+    def write_text_file(self, file_name: str, content: str) -> None:
+        file_path = Path(file_name)
+        file_path.parent.mkdir(parents=True, exist_ok=True)
+        with open(file_path, "w") as f:
+            f.write(content)
 
     def output_gitlab_security(self, diff_report: Diff) -> None:
         """