feat(manifest): --facts mode emits Socket facts JSON for Gradle projects (REA-442)

.config/rollup.dist.config.mjs

@@ -79,6 +79,15 @@ async function copyInitGradle() {
   await fs.copyFile(filepath, destPath)
 }
 
+async function copySocketFactsInitGradle() {
+  const filepath = path.join(
+    constants.srcPath,
+    'commands/manifest/socket-facts.init.gradle',
+  )
+  const destPath = path.join(constants.distPath, 'socket-facts.init.gradle')
+  await fs.copyFile(filepath, destPath)
+}
+
 async function copyBashCompletion() {
   const filepath = path.join(
     constants.srcPath,
@@ -458,6 +467,7 @@ export default async () => {
           async writeBundle() {
             await Promise.all([
               copyInitGradle(),
+              copySocketFactsInitGradle(),
               copyBashCompletion(),
               updatePackageJson(),
               // Remove dist/vendor.js.map file.

CHANGELOG.md

@@ -5,11 +5,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ## [Unreleased]
-
-### Added
 - **`socket manifest bazel [beta]`** — Generate Bazel JVM SBOM manifests by running `bazel query` against discovered Maven repos in a Bazel workspace. Closes the inline-Maven-declaration gap that lockfile-only parsing misses for repos like envoy, ray, tensorflow, tink-java, and or-tools. Auto-detects Bzlmod and legacy `WORKSPACE`.
 - **`socket scan create --auto-manifest`** now covers Bazel workspaces in addition to Gradle/Scala/Kotlin/Conda. Repos with `MODULE.bazel`, `WORKSPACE`, or `WORKSPACE.bazel` are detected automatically and their Maven dependencies extracted as part of the standard scan-create flow.
 
+## [1.1.98](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.98) - 2026-05-22
+
+### Added
+- **`socket manifest gradle --facts [beta]`** (and its `socket manifest kotlin --facts` alias) — Emit a `.socket.facts.json` dependency graph from a Gradle build, consumable by `socket scan create --reach` as pregenerated SBOM input for Tier 1 reachability. Toggle also exposed via the `socket manifest setup` wizard for use with `--auto-manifest`.
+
+### Changed
+- Updated the Coana CLI to v `15.3.8`.
+
 ## [1.1.101](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.101) - 2026-05-22
 
 ### Changed

package.json

@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "1.1.101",
+  "version": "1.1.102",
   "description": "CLI for Socket.dev",
   "homepage": "https://github.com/SocketDev/socket-cli",
   "license": "MIT AND OFL-1.1",

src/commands/manifest/cmd-manifest-gradle.mts

@@ -3,6 +3,7 @@ import path from 'node:path'
 import { debugFn } from '@socketsecurity/registry/lib/debug'
 import { logger } from '@socketsecurity/registry/lib/logger'
 
+import { convertGradleToFacts } from './convert-gradle-to-facts.mts'
 import { convertGradleToMaven } from './convert_gradle_to_maven.mts'
 import constants, { REQUIREMENTS_TXT, SOCKET_JSON } from '../../constants.mts'
 import { commonFlags } from '../../flags.mts'
@@ -28,6 +29,11 @@ const config: CliCommandConfig = {
       type: 'string',
       description: 'Location of gradlew binary to use, default: CWD/gradlew',
     },
+    facts: {
+      type: 'boolean',
+      description:
+        'Emit a Socket facts JSON file (`.socket.facts.json`) describing the resolved dependency graph instead of generating `pom.xml` files',
+    },
     gradleOpts: {
       type: 'string',
       description:
@@ -110,7 +116,7 @@ async function run(
     sockJson?.defaults?.manifest?.gradle,
   )
 
-  let { bin, gradleOpts, verbose } = cli.flags
+  let { bin, facts, gradleOpts, verbose } = cli.flags
 
   // Set defaults for any flag/arg that is not given. Check socket.json first.
   if (!bin) {
@@ -140,6 +146,14 @@ async function run(
       verbose = false
     }
   }
+  if (facts === undefined) {
+    if (sockJson.defaults?.manifest?.gradle?.facts !== undefined) {
+      facts = sockJson.defaults?.manifest?.gradle?.facts
+      logger.info(`Using default --facts from ${SOCKET_JSON}:`, facts)
+    } else {
+      facts = false
+    }
+  }
 
   if (verbose) {
     logger.group('- ', parentName, config.commandName, ':')
@@ -175,13 +189,25 @@ async function run(
     return
   }
 
+  const parsedGradleOpts = String(gradleOpts || '')
+    .split(' ')
+    .map(s => s.trim())
+    .filter(Boolean)
+
+  if (facts) {
+    await convertGradleToFacts({
+      bin: String(bin),
+      cwd,
+      gradleOpts: parsedGradleOpts,
+      verbose: Boolean(verbose),
+    })
+    return
+  }
+
   await convertGradleToMaven({
     bin: String(bin),
     cwd,
-    gradleOpts: String(gradleOpts || '')
-      .split(' ')
-      .map(s => s.trim())
-      .filter(Boolean),
+    gradleOpts: parsedGradleOpts,
     verbose: Boolean(verbose),
   })
 }

src/commands/manifest/cmd-manifest-gradle.test.mts

@@ -24,6 +24,7 @@ describe('socket manifest gradle', async () => {
 
           Options
             --bin               Location of gradlew binary to use, default: CWD/gradlew
+            --facts             Emit a Socket facts JSON file (\`.socket.facts.json\`) describing the resolved dependency graph instead of generating \`pom.xml\` files
             --gradle-opts       Additional options to pass on to ./gradlew, see \`./gradlew --help\`
             --verbose           Print debug messages
 
@@ -85,4 +86,22 @@ describe('socket manifest gradle', async () => {
       expect(code, 'dry-run should exit with code 0 if input ok').toBe(0)
     },
   )
+
+  cmdit(
+    ['manifest', 'gradle', '--facts', FLAG_DRY_RUN, FLAG_CONFIG, '{}'],
+    'should accept --facts with dry-run',
+    async cmd => {
+      const { code, stderr, stdout } = await spawnSocketCli(binCliPath, cmd)
+      expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Bailing now"`)
+      expect(`\n   ${stderr}`).toMatchInlineSnapshot(`
+        "
+           _____         _       _        /---------------
+          |   __|___ ___| |_ ___| |_      | CLI: <redacted>
+          |__   | * |  _| '_| -_|  _|     | token: <redacted>, org: <redacted>
+          |_____|___|___|_,_|___|_|.dev   | Command: \`socket manifest gradle\`, cwd: <redacted>"
+      `)
+
+      expect(code, '--facts --dry-run should exit with code 0').toBe(0)
+    },
+  )
 })

src/commands/manifest/cmd-manifest-kotlin.mts

@@ -3,6 +3,7 @@ import path from 'node:path'
 import { debugFn } from '@socketsecurity/registry/lib/debug'
 import { logger } from '@socketsecurity/registry/lib/logger'
 
+import { convertGradleToFacts } from './convert-gradle-to-facts.mts'
 import { convertGradleToMaven } from './convert_gradle_to_maven.mts'
 import constants, { REQUIREMENTS_TXT, SOCKET_JSON } from '../../constants.mts'
 import { commonFlags } from '../../flags.mts'
@@ -33,6 +34,11 @@ const config: CliCommandConfig = {
       type: 'string',
       description: 'Location of gradlew binary to use, default: CWD/gradlew',
     },
+    facts: {
+      type: 'boolean',
+      description:
+        'Emit a Socket facts JSON file (`.socket.facts.json`) describing the resolved dependency graph instead of generating `pom.xml` files',
+    },
     gradleOpts: {
       type: 'string',
       description:
@@ -115,7 +121,7 @@ async function run(
     sockJson?.defaults?.manifest?.gradle,
   )
 
-  let { bin, gradleOpts, verbose } = cli.flags
+  let { bin, facts, gradleOpts, verbose } = cli.flags
 
   // Set defaults for any flag/arg that is not given. Check socket.json first.
   if (!bin) {
@@ -145,6 +151,14 @@ async function run(
       verbose = false
     }
   }
+  if (facts === undefined) {
+    if (sockJson.defaults?.manifest?.gradle?.facts !== undefined) {
+      facts = sockJson.defaults?.manifest?.gradle?.facts
+      logger.info(`Using default --facts from ${SOCKET_JSON}:`, facts)
+    } else {
+      facts = false
+    }
+  }
 
   if (verbose) {
     logger.group('- ', parentName, config.commandName, ':')
@@ -180,13 +194,25 @@ async function run(
     return
   }
 
+  const parsedGradleOpts = String(gradleOpts || '')
+    .split(' ')
+    .map(s => s.trim())
+    .filter(Boolean)
+
+  if (facts) {
+    await convertGradleToFacts({
+      bin: String(bin),
+      cwd,
+      gradleOpts: parsedGradleOpts,
+      verbose: Boolean(verbose),
+    })
+    return
+  }
+
   await convertGradleToMaven({
     bin: String(bin),
     cwd,
-    gradleOpts: String(gradleOpts || '')
-      .split(' ')
-      .map(s => s.trim())
-      .filter(Boolean),
+    gradleOpts: parsedGradleOpts,
     verbose: Boolean(verbose),
   })
 }

src/commands/manifest/cmd-manifest-kotlin.test.mts

@@ -24,6 +24,7 @@ describe('socket manifest kotlin', async () => {
 
           Options
             --bin               Location of gradlew binary to use, default: CWD/gradlew
+            --facts             Emit a Socket facts JSON file (\`.socket.facts.json\`) describing the resolved dependency graph instead of generating \`pom.xml\` files
             --gradle-opts       Additional options to pass on to ./gradlew, see \`./gradlew --help\`
             --verbose           Print debug messages
 
@@ -85,4 +86,22 @@ describe('socket manifest kotlin', async () => {
       expect(code, 'dry-run should exit with code 0 if input ok').toBe(0)
     },
   )
+
+  cmdit(
+    ['manifest', 'kotlin', '--facts', FLAG_DRY_RUN, FLAG_CONFIG, '{}'],
+    'should accept --facts with dry-run',
+    async cmd => {
+      const { code, stderr, stdout } = await spawnSocketCli(binCliPath, cmd)
+      expect(stdout).toMatchInlineSnapshot(`"[DryRun]: Bailing now"`)
+      expect(`\n   ${stderr}`).toMatchInlineSnapshot(`
+        "
+           _____         _       _        /---------------
+          |   __|___ ___| |_ ___| |_      | CLI: <redacted>
+          |__   | * |  _| '_| -_|  _|     | token: <redacted>, org: <redacted>
+          |_____|___|___|_,_|___|_|.dev   | Command: \`socket manifest kotlin\`, cwd: <redacted>"
+      `)
+
+      expect(code, '--facts --dry-run should exit with code 0').toBe(0)
+    },
+  )
 })