Normalize env vars (#589)

Author: jdalton

README.md

@@ -82,7 +82,7 @@ use of the `projectIgnorePaths` to excludes files when creating a report.
 
 ## Environment variables
 
-- `SOCKET_SECURITY_API_TOKEN` - if set, this will be used as the API-key
+- `SOCKET_CLI_API_TOKEN` - if set, this will be used as the API-key
 
 ## Contributing
 
@@ -101,9 +101,9 @@ That should invoke it from local sources. If you make changes you run
 
 ### Environment variables for development
 
-- `SOCKET_SECURITY_API_BASE_URL` - if set, this will be the base for all
+- `SOCKET_CLI_API_BASE_URL` - if set, this will be the base for all
   API-calls. Defaults to `https://api.socket.dev/v0/`
-- `SOCKET_SECURITY_API_PROXY` - if set to something like
+- `SOCKET_CLI_API_PROXY` - if set to something like
   [`http://127.0.0.1:9090`](https://docs.proxyman.io/troubleshooting/couldnt-see-any-requests-from-3rd-party-network-libraries),
   then all request will be proxied through that proxy
 

src/commands/config/cmd-config-get.test.mts

@@ -137,7 +137,7 @@ describe('socket config get', async () => {
         'should return the env var token when set',
         async cmd => {
           const { stderr, stdout } = await invokeNpm(entryPath, cmd, {
-            SOCKET_SECURITY_API_TOKEN: 'abc',
+            SOCKET_CLI_API_TOKEN: 'abc',
           })
           expect(stdout).toMatchInlineSnapshot(
             `

src/commands/fix/npm-fix.mts

@@ -132,8 +132,7 @@ export async function npmFix(
   }
 
   // Lazily access constants.ENV properties.
-  const token =
-    constants.ENV.SOCKET_SECURITY_GITHUB_PAT || constants.ENV.GITHUB_TOKEN
+  const token = constants.ENV.SOCKET_CLI_GITHUB_TOKEN
   const isCi = !!(
     constants.ENV.CI &&
     constants.ENV.GITHUB_ACTIONS &&

src/commands/fix/open-pr.mts

@@ -29,9 +29,8 @@ let _octokit: Octokit | undefined
 function getOctokit() {
   if (_octokit === undefined) {
     _octokit = new Octokit({
-      // Lazily access constants.ENV properties.
-      auth:
-        constants.ENV.SOCKET_SECURITY_GITHUB_PAT || constants.ENV.GITHUB_TOKEN,
+      // Lazily access constants.ENV.SOCKET_CLI_GITHUB_TOKEN.
+      auth: constants.ENV.SOCKET_CLI_GITHUB_TOKEN,
     })
   }
   return _octokit
@@ -42,8 +41,8 @@ export function getOctokitGraphql() {
   if (!_octokitGraphql) {
     _octokitGraphql = OctokitGraphql.defaults({
       headers: {
-        // Lazily access constants.ENV properties.
-        authorization: `token ${constants.ENV.SOCKET_SECURITY_GITHUB_PAT || constants.ENV.GITHUB_TOKEN}`,
+        // Lazily access constants.ENV.SOCKET_CLI_GITHUB_TOKEN.
+        authorization: `token ${constants.ENV.SOCKET_CLI_GITHUB_TOKEN}`,
       },
     })
   }
@@ -56,6 +55,7 @@ export async function cacheFetch<T>(
   ttlMs?: number | undefined,
 ): Promise<T> {
   // Optionally disable cache.
+  // Lazily access constants.ENV.DISABLE_GITHUB_CACHE.
   if (constants.ENV.DISABLE_GITHUB_CACHE) {
     return await fetcher()
   }

src/commands/fix/pnpm-fix.mts

@@ -193,8 +193,7 @@ export async function pnpmFix(
   }
 
   // Lazily access constants.ENV properties.
-  const token =
-    constants.ENV.SOCKET_SECURITY_GITHUB_PAT || constants.ENV.GITHUB_TOKEN
+  const token = constants.ENV.SOCKET_CLI_GITHUB_TOKEN
   const isCi = !!(
     constants.ENV.CI &&
     constants.ENV.GITHUB_ACTIONS &&

src/commands/scan/cmd-scan-github.mts

@@ -109,7 +109,8 @@ async function run(
     all = false,
     dryRun = false,
     githubApiUrl = 'https://api.github.com',
-    githubToken = process.env['SOCKET_CLI_GITHUB_TOKEN'] || '',
+    // Lazily access constants.ENV.SOCKET_CLI_GITHUB_TOKEN.
+    githubToken = constants.ENV.SOCKET_CLI_GITHUB_TOKEN,
     interactive = true,
     json,
     markdown,

src/constants.mts

@@ -64,14 +64,14 @@ type ENV = Remap<
       NODE_COMPILE_CACHE: string
       PATH: string
       SOCKET_CLI_ACCEPT_RISKS: boolean
+      SOCKET_CLI_API_BASE_URL: string
+      SOCKET_CLI_API_PROXY: string
+      SOCKET_CLI_API_TOKEN: string
       SOCKET_CLI_CONFIG: string
       SOCKET_CLI_DEBUG: boolean
+      SOCKET_CLI_GITHUB_TOKEN: string
       SOCKET_CLI_NO_API_TOKEN: boolean
       SOCKET_CLI_VIEW_ALL_RISKS: boolean
-      SOCKET_SECURITY_API_BASE_URL: string
-      SOCKET_SECURITY_API_PROXY: string
-      SOCKET_SECURITY_API_TOKEN: string
-      SOCKET_SECURITY_GITHUB_PAT: string
       TERM: string
       XDG_DATA_HOME: string
     }>
@@ -216,6 +216,7 @@ const LAZY_ENV = () => {
     envAsString,
   } = require('@socketsecurity/registry/lib/env')
   const { env } = process
+  const GITHUB_TOKEN = envAsString(env['GITHUB_TOKEN'])
   // We inline some environment values so that they CANNOT be influenced by user
   // provided environment variables.
   return Object.freeze({
@@ -243,7 +244,7 @@ const LAZY_ENV = () => {
     // The GITHUB_TOKEN secret is a GitHub App installation access token. The token's
     // permissions are limited to the repository that contains the workflow.
     // https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#about-the-github_token-secret
-    GITHUB_TOKEN: envAsString(env['GITHUB_TOKEN']),
+    GITHUB_TOKEN,
     // Comp-time inlined @cyclonedx/cdxgen package version.
     // The '@rollup/plugin-replace' will replace "process.env['INLINED_CYCLONEDX_CDXGEN_VERSION']".
     INLINED_CYCLONEDX_CDXGEN_VERSION: envAsString(
@@ -305,44 +306,36 @@ const LAZY_ENV = () => {
     PATH: envAsString(env['PATH']),
     // Flag to accepts risks of safe-npm and safe-npx run.
     SOCKET_CLI_ACCEPT_RISKS: envAsBoolean(env[SOCKET_CLI_ACCEPT_RISKS]),
-    // Flag containing a JSON stringified Socket configuration object.
-    SOCKET_CLI_CONFIG: envAsString(env['SOCKET_CLI_CONFIG']),
-    // Flag to help debug Socket CLI.
-    SOCKET_CLI_DEBUG: envAsBoolean(env['SOCKET_CLI_DEBUG']),
-    // Flag to make the default API token `undefined`.
-    SOCKET_CLI_NO_API_TOKEN: envAsBoolean(env['SOCKET_CLI_NO_API_TOKEN']),
-    // Flag to view all risks of safe-npm and safe-npx run.
-    SOCKET_CLI_VIEW_ALL_RISKS: envAsBoolean(env[SOCKET_CLI_VIEW_ALL_RISKS]),
     // Flag to change the base URL for all API-calls.
     // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables-for-development
-    SOCKET_SECURITY_API_BASE_URL:
-      envAsString(env['SOCKET_SECURITY_API_BASE_URL']) ||
-      // For consistency; allow socket_cli prefix too
-      envAsString(env['SOCKET_CLI_API_BASE_URL']),
+    SOCKET_CLI_API_BASE_URL:
+      envAsString(env['SOCKET_CLI_API_BASE_URL']) ||
+      envAsString(env['SOCKET_SECURITY_API_BASE_URL']),
     // Flag to set the proxy all requests are routed through.
     // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables-for-development
-    SOCKET_SECURITY_API_PROXY:
-      envAsString(env['SOCKET_SECURITY_API_PROXY']) ||
-      // For consistency; allow socket_cli prefix too
-      envAsString(env['SOCKET_CLI_API_BASE_URL']),
+    SOCKET_CLI_API_PROXY:
+      envAsString(env['SOCKET_CLI_API_PROXY']) ||
+      envAsString(env['SOCKET_SECURITY_API_PROXY']),
     // Flag to set the API token.
     // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables
-    SOCKET_SECURITY_API_TOKEN:
-      // Note: These are SOCKET_SECURITY prefixed because they're not specific
-      //       to the CLI. For the sake of consistency we'll also support the env
-      //       keys that do have the SOCKET_CLI prefix, it's an easy mistake.
-      // In case multiple are supplied, the tokens supersede the keys and the
-      // security prefix supersedes the cli prefix. "Adventure mode" ;)
-      envAsString(env['SOCKET_SECURITY_API_TOKEN']) ||
-      // Keep 'SOCKET_SECURITY_API_KEY' alias.
-      // TODO: Remove 'SOCKET_SECURITY_API_KEY' alias.
-      envAsString(env['SOCKET_SECURITY_API_KEY']) ||
+    SOCKET_CLI_API_TOKEN:
       envAsString(env['SOCKET_CLI_API_TOKEN']) ||
-      envAsString(env['SOCKET_CLI_API_KEY']),
+      envAsString(env['SOCKET_CLI_API_KEY']) ||
+      envAsString(env['SOCKET_SECURITY_API_TOKEN']) ||
+      envAsString(env['SOCKET_SECURITY_API_KEY']),
+    // Flag containing a JSON stringified Socket configuration object.
+    SOCKET_CLI_CONFIG: envAsString(env['SOCKET_CLI_CONFIG']),
+    // Flag to help debug Socket CLI.
+    SOCKET_CLI_DEBUG: envAsBoolean(env['SOCKET_CLI_DEBUG']),
     // A classic GitHub personal access token with the "repo" scope or a fine-grained
     // access token with read/write permissions set for "Contents" and "Pull Request".
     // https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens
-    SOCKET_SECURITY_GITHUB_PAT: envAsString(env['SOCKET_SECURITY_GITHUB_PAT']),
+    SOCKET_CLI_GITHUB_TOKEN:
+      envAsString(env['SOCKET_CLI_GITHUB_TOKEN']) || GITHUB_TOKEN,
+    // Flag to make the default API token `undefined`.
+    SOCKET_CLI_NO_API_TOKEN: envAsBoolean(env['SOCKET_CLI_NO_API_TOKEN']),
+    // Flag to view all risks of safe-npm and safe-npx run.
+    SOCKET_CLI_VIEW_ALL_RISKS: envAsBoolean(env[SOCKET_CLI_VIEW_ALL_RISKS]),
     // Specifies the type of terminal or terminal emulator being used by the process.
     TERM: envAsString(env['TERM']),
     // The location of the base directory on Linux and MacOS used to store

src/utils/api.mts

@@ -155,11 +155,9 @@ export async function getErrorMessageForHttpStatusCode(code: number) {
 
 // The API server that should be used for operations.
 export function getDefaultApiBaseUrl(): string | undefined {
-  // Lazily access constants.ENV.SOCKET_SECURITY_API_BASE_URL.
-  const SOCKET_SECURITY_API_BASE_URL =
-    constants.ENV.SOCKET_SECURITY_API_BASE_URL
   const baseUrl =
-    SOCKET_SECURITY_API_BASE_URL || getConfigValueOrUndef('apiBaseUrl')
+    // Lazily access constants.ENV.SOCKET_CLI_API_BASE_URL.
+    constants.ENV.SOCKET_CLI_API_BASE_URL || getConfigValueOrUndef('apiBaseUrl')
   if (isNonEmptyString(baseUrl)) {
     return baseUrl
   }

src/utils/meow-with-subcommands.mts

@@ -144,8 +144,8 @@ export async function meowWithSubcommands(
     // The config will be marked as readOnly to prevent persisting it.
     overrideConfigApiToken(undefined)
   } else {
-    // Lazily access constants.ENV.SOCKET_SECURITY_API_TOKEN.
-    const tokenOverride = constants.ENV.SOCKET_SECURITY_API_TOKEN
+    // Lazily access constants.ENV.SOCKET_CLI_API_TOKEN.
+    const tokenOverride = constants.ENV.SOCKET_CLI_API_TOKEN
     if (tokenOverride) {
       // This will set the token (even if there was a config override) and
       // set it to readOnly, making sure the temp token won't be persisted.

src/utils/sdk.mts

@@ -19,17 +19,16 @@ const { length: TOKEN_PREFIX_LENGTH } = TOKEN_PREFIX
 // The API server that should be used for operations.
 function getDefaultApiBaseUrl(): string | undefined {
   const baseUrl =
-    // Lazily access constants.ENV.SOCKET_SECURITY_API_BASE_URL.
-    constants.ENV.SOCKET_SECURITY_API_BASE_URL ||
-    getConfigValueOrUndef('apiBaseUrl')
+    // Lazily access constants.ENV.SOCKET_CLI_API_BASE_URL.
+    constants.ENV.SOCKET_CLI_API_BASE_URL || getConfigValueOrUndef('apiBaseUrl')
   return isNonEmptyString(baseUrl) ? baseUrl : undefined
 }
 
 // The API server that should be used for operations.
 function getDefaultHttpProxy(): string | undefined {
   const apiProxy =
-    // Lazily access constants.ENV.SOCKET_SECURITY_API_PROXY.
-    constants.ENV.SOCKET_SECURITY_API_PROXY || getConfigValueOrUndef('apiProxy')
+    // Lazily access constants.ENV.SOCKET_CLI_API_PROXY.
+    constants.ENV.SOCKET_CLI_API_PROXY || getConfigValueOrUndef('apiProxy')
   return isNonEmptyString(apiProxy) ? apiProxy : undefined
 }
 
@@ -41,8 +40,8 @@ export function getDefaultToken(): string | undefined {
     _defaultToken = undefined
   } else {
     const key =
-      // Lazily access constants.ENV.SOCKET_SECURITY_API_TOKEN.
-      constants.ENV.SOCKET_SECURITY_API_TOKEN ||
+      // Lazily access constants.ENV.SOCKET_CLI_API_TOKEN.
+      constants.ENV.SOCKET_CLI_API_TOKEN ||
       getConfigValueOrUndef('apiToken') ||
       _defaultToken
     _defaultToken = isNonEmptyString(key) ? key : undefined
@@ -63,8 +62,8 @@ export function hasDefaultToken(): boolean {
 
 export function getPublicToken(): string {
   return (
-    // Lazily access constants.ENV.SOCKET_SECURITY_API_TOKEN.
-    (constants.ENV.SOCKET_SECURITY_API_TOKEN || getDefaultToken()) ??
+    // Lazily access constants.ENV.SOCKET_CLI_API_TOKEN.
+    (constants.ENV.SOCKET_CLI_API_TOKEN || getDefaultToken()) ??
     SOCKET_PUBLIC_API_TOKEN
   )
 }