Disable analysis splitting by default

CHANGELOG.md

@@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.58](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.58) - 2026-01-14
+
+### Changed
+- Analysis splitting is now disabled by default for reachability scans.
+- Added `--reach-enable-analysis-splitting` flag to opt-in to multiple analysis runs per workspace when needed.
+- Deprecated `--reach-disable-analysis-splitting` flag (now a no-op for backwards compatibility).
+- Updated the Coana CLI to v `14.12.154`.
+
+
 ## [1.1.57](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.57) - 2026-01-10
 
 ### Changed

package.json

@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "1.1.57",
+  "version": "1.1.58",
   "description": "CLI for Socket.dev",
   "homepage": "https://github.com/SocketDev/socket-cli",
   "license": "MIT AND OFL-1.1",
@@ -94,7 +94,7 @@
     "@babel/preset-typescript": "7.27.1",
     "@babel/runtime": "7.28.4",
     "@biomejs/biome": "2.2.4",
-    "@coana-tech/cli": "14.12.148",
+    "@coana-tech/cli": "14.12.154",
     "@cyclonedx/cdxgen": "11.11.0",
     "@dotenvx/dotenvx": "1.49.0",
     "@eslint/compat": "1.3.2",

src/commands/ci/handle-ci.mts

@@ -55,9 +55,10 @@ export async function handleCi(autoManifest: boolean): Promise<void> {
       reachAnalysisTimeout: 0,
       reachConcurrency: 1,
       reachDebug: false,
-      reachDisableAnalysisSplitting: false,
+      reachDetailedAnalysisLogFile: false,
       reachDisableAnalytics: false,
       reachEcosystems: [],
+      reachEnableAnalysisSplitting: false,
       reachExcludePaths: [],
       reachLazyMode: false,
       reachSkipCache: false,

src/commands/scan/cmd-scan-create.mts

@@ -241,8 +241,10 @@ async function run(
     reachAnalysisTimeout,
     reachConcurrency,
     reachDebug,
-    reachDisableAnalysisSplitting,
+    reachDetailedAnalysisLogFile,
+    reachDisableAnalysisSplitting: _reachDisableAnalysisSplitting,
     reachDisableAnalytics,
+    reachEnableAnalysisSplitting,
     reachLazyMode,
     reachSkipCache,
     reachUseOnlyPregeneratedSboms,
@@ -272,8 +274,10 @@ async function run(
     reachAnalysisTimeout: number
     reachConcurrency: number
     reachDebug: boolean
+    reachDetailedAnalysisLogFile: boolean
     reachDisableAnalysisSplitting: boolean
     reachDisableAnalytics: boolean
+    reachEnableAnalysisSplitting: boolean
     reachLazyMode: boolean
     reachSkipCache: boolean
     reachUseOnlyPregeneratedSboms: boolean
@@ -461,7 +465,7 @@ async function run(
     isUsingNonDefaultMemoryLimit ||
     isUsingNonDefaultTimeout ||
     isUsingNonDefaultVersion ||
-    reachDisableAnalysisSplitting ||
+    reachEnableAnalysisSplitting ||
     reachLazyMode ||
     reachSkipCache ||
     reachUseOnlyPregeneratedSboms
@@ -574,9 +578,10 @@ async function run(
       reachAnalysisTimeout: Number(reachAnalysisTimeout),
       reachConcurrency: Number(reachConcurrency),
       reachDebug: Boolean(reachDebug),
-      reachDisableAnalysisSplitting: Boolean(reachDisableAnalysisSplitting),
+      reachDetailedAnalysisLogFile: Boolean(reachDetailedAnalysisLogFile),
       reachDisableAnalytics: Boolean(reachDisableAnalytics),
       reachEcosystems,
+      reachEnableAnalysisSplitting: Boolean(reachEnableAnalysisSplitting),
       reachExcludePaths,
       reachLazyMode: Boolean(reachLazyMode),
       reachSkipCache: Boolean(reachSkipCache),

src/commands/scan/cmd-scan-create.test.mts

@@ -58,9 +58,10 @@ describe('socket scan create', async () => {
             --reach-analysis-timeout  Set timeout for the reachability analysis. Split analysis runs may cause the total scan time to exceed this timeout significantly.
             --reach-concurrency  Set the maximum number of concurrent reachability analysis runs. It is recommended to choose a concurrency level that ensures each analysis run has at least the --reach-analysis-memory-limit amount of memory available. NPM reachability analysis does not support concurrent execution, so the concurrency level is ignored for NPM.
             --reach-debug       Enable debug mode for reachability analysis. Provides verbose logging from the reachability CLI.
-            --reach-disable-analysis-splitting  Limits Coana to at most 1 reachability analysis run per workspace.
+            --reach-detailed-analysis-log-file  A log file with detailed analysis logs is written to root of each analyzed workspace.
             --reach-disable-analytics  Disable reachability analytics sharing with Socket. Also disables caching-based optimizations.
             --reach-ecosystems  List of ecosystems to conduct reachability analysis on, as either a comma separated value or as multiple flags. Defaults to all ecosystems.
+            --reach-enable-analysis-splitting  Allow the reachability analysis to partition CVEs into buckets that are processed in separate analysis runs. May improve accuracy, but not recommended by default.
             --reach-exclude-paths  List of paths to exclude from reachability analysis, as either a comma separated value or as multiple flags.
             --reach-skip-cache  Skip caching-based optimizations. By default, the reachability analysis will use cached configurations from previous runs to speed up the analysis.
             --reach-use-only-pregenerated-sboms  When using this option, the scan is created based only on pre-generated CDX and SPDX files in your project.

src/commands/scan/cmd-scan-reach.mts

@@ -125,8 +125,10 @@ async function run(
     reachAnalysisTimeout,
     reachConcurrency,
     reachDebug,
-    reachDisableAnalysisSplitting,
+    reachDetailedAnalysisLogFile,
+    reachDisableAnalysisSplitting: _reachDisableAnalysisSplitting,
     reachDisableAnalytics,
+    reachEnableAnalysisSplitting,
     reachLazyMode,
     reachSkipCache,
     reachUseOnlyPregeneratedSboms,
@@ -142,8 +144,10 @@ async function run(
     reachAnalysisTimeout: number
     reachConcurrency: number
     reachDebug: boolean
+    reachDetailedAnalysisLogFile: boolean
     reachDisableAnalysisSplitting: boolean
     reachDisableAnalytics: boolean
+    reachEnableAnalysisSplitting: boolean
     reachLazyMode: boolean
     reachSkipCache: boolean
     reachUseOnlyPregeneratedSboms: boolean
@@ -262,9 +266,10 @@ async function run(
       reachAnalysisTimeout: Number(reachAnalysisTimeout),
       reachConcurrency: Number(reachConcurrency),
       reachDebug: Boolean(reachDebug),
-      reachDisableAnalysisSplitting: Boolean(reachDisableAnalysisSplitting),
+      reachDetailedAnalysisLogFile: Boolean(reachDetailedAnalysisLogFile),
       reachDisableAnalytics: Boolean(reachDisableAnalytics),
       reachEcosystems,
+      reachEnableAnalysisSplitting: Boolean(reachEnableAnalysisSplitting),
       reachExcludePaths,
       reachLazyMode: Boolean(reachLazyMode),
       reachSkipCache: Boolean(reachSkipCache),

src/commands/scan/cmd-scan-reach.test.mts

@@ -41,9 +41,10 @@ describe('socket scan reach', async () => {
             --reach-analysis-timeout  Set timeout for the reachability analysis. Split analysis runs may cause the total scan time to exceed this timeout significantly.
             --reach-concurrency  Set the maximum number of concurrent reachability analysis runs. It is recommended to choose a concurrency level that ensures each analysis run has at least the --reach-analysis-memory-limit amount of memory available. NPM reachability analysis does not support concurrent execution, so the concurrency level is ignored for NPM.
             --reach-debug       Enable debug mode for reachability analysis. Provides verbose logging from the reachability CLI.
-            --reach-disable-analysis-splitting  Limits Coana to at most 1 reachability analysis run per workspace.
+            --reach-detailed-analysis-log-file  A log file with detailed analysis logs is written to root of each analyzed workspace.
             --reach-disable-analytics  Disable reachability analytics sharing with Socket. Also disables caching-based optimizations.
             --reach-ecosystems  List of ecosystems to conduct reachability analysis on, as either a comma separated value or as multiple flags. Defaults to all ecosystems.
+            --reach-enable-analysis-splitting  Allow the reachability analysis to partition CVEs into buckets that are processed in separate analysis runs. May improve accuracy, but not recommended by default.
             --reach-exclude-paths  List of paths to exclude from reachability analysis, as either a comma separated value or as multiple flags.
             --reach-skip-cache  Skip caching-based optimizations. By default, the reachability analysis will use cached configurations from previous runs to speed up the analysis.
             --reach-use-only-pregenerated-sboms  When using this option, the scan is created based only on pre-generated CDX and SPDX files in your project.
@@ -195,7 +196,26 @@ describe('socket scan reach', async () => {
       FLAG_CONFIG,
       '{"apiToken":"fakeToken"}',
     ],
-    'should accept --reach-disable-analysis-splitting flag',
+    'should accept deprecated --reach-disable-analysis-splitting flag (noop)',
+    async cmd => {
+      const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
+      expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Bailing now"`)
+      expect(code, 'should exit with code 0').toBe(0)
+    },
+  )
+
+  cmdit(
+    [
+      'scan',
+      'reach',
+      FLAG_DRY_RUN,
+      '--reach-enable-analysis-splitting',
+      '--org',
+      'fakeOrg',
+      FLAG_CONFIG,
+      '{"apiToken":"fakeToken"}',
+    ],
+    'should accept --reach-enable-analysis-splitting flag',
     async cmd => {
       const { code, stdout } = await spawnSocketCli(binCliPath, cmd)
       expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Bailing now"`)
@@ -319,7 +339,7 @@ describe('socket scan reach', async () => {
       '3600',
       '--reach-concurrency',
       '2',
-      '--reach-disable-analysis-splitting',
+      '--reach-enable-analysis-splitting',
       '--reach-ecosystems',
       'npm,pypi',
       '--reach-exclude-paths',

src/commands/scan/create-scan-from-github.mts

@@ -253,9 +253,10 @@ async function scanOneRepo(
       reachAnalysisTimeout: 0,
       reachConcurrency: 1,
       reachDebug: false,
-      reachDisableAnalysisSplitting: false,
+      reachDetailedAnalysisLogFile: false,
       reachDisableAnalytics: false,
       reachEcosystems: [],
+      reachEnableAnalysisSplitting: false,
       reachExcludePaths: [],
       reachLazyMode: false,
       reachSkipCache: false,

src/commands/scan/perform-reachability-analysis.mts

@@ -18,9 +18,10 @@ export type ReachabilityOptions = {
   reachAnalysisTimeout: number
   reachConcurrency: number
   reachDebug: boolean
-  reachDisableAnalysisSplitting: boolean
+  reachDetailedAnalysisLogFile: boolean
   reachDisableAnalytics: boolean
   reachEcosystems: PURL_Type[]
+  reachEnableAnalysisSplitting: boolean
   reachExcludePaths: string[]
   reachLazyMode: boolean
   reachSkipCache: boolean
@@ -172,12 +173,15 @@ export async function performReachabilityAnalysis(
       ? ['--concurrency', `${reachabilityOptions.reachConcurrency}`]
       : []),
     ...(reachabilityOptions.reachDebug ? ['--debug'] : []),
+    ...(reachabilityOptions.reachDetailedAnalysisLogFile
+      ? ['--print-analysis-log-file']
+      : []),
     ...(reachabilityOptions.reachDisableAnalytics
       ? ['--disable-analytics-sharing']
       : []),
-    ...(reachabilityOptions.reachDisableAnalysisSplitting
-      ? ['--disable-analysis-splitting']
-      : []),
+    ...(reachabilityOptions.reachEnableAnalysisSplitting
+      ? []
+      : ['--disable-analysis-splitting']),
     ...(tarHash
       ? ['--run-without-docker', '--manifests-tar-hash', tarHash]
       : []),

src/commands/scan/reachability-flags.mts

@@ -31,17 +31,30 @@ export const reachabilityFlags: MeowFlags = {
     description:
       'Enable debug mode for reachability analysis. Provides verbose logging from the reachability CLI.',
   },
+  reachDetailedAnalysisLogFile: {
+    type: 'boolean',
+    default: false,
+    description:
+      'A log file with detailed analysis logs is written to root of each analyzed workspace.',
+  },
   reachDisableAnalytics: {
     type: 'boolean',
     default: false,
     description:
       'Disable reachability analytics sharing with Socket. Also disables caching-based optimizations.',
   },
   reachDisableAnalysisSplitting: {
+    type: 'boolean',
+    default: false,
+    hidden: true,
+    description:
+      'Deprecated: Analysis splitting is now disabled by default. This flag is a no-op.',
+  },
+  reachEnableAnalysisSplitting: {
     type: 'boolean',
     default: false,
     description:
-      'Limits Coana to at most 1 reachability analysis run per workspace.',
+      'Allow the reachability analysis to partition CVEs into buckets that are processed in separate analysis runs. May improve accuracy, but not recommended by default.',
   },
   reachEcosystems: {
     type: 'string',