Summary

Mirrors the Dependabot hardening done in socket-sdk-python (#84) and socket-python-cli (#207 / #217), adapted to socket-basics — the most complex of the three repos, since it ships both a uv.lock (Python deps) and two Dockerfiles. Then it goes further with a supply-chain watch for the four core OSS tools Dependabot can't cleanly track, and fixes the SFW-bypass blindspot the CLI/SDK pattern introduced. Four threads:

1. Bundle dependency updates — supersedes the 8 open Dependabot PRs in one verified change.
2. Dependabot config hardening — adds the missing uv ecosystem and groups every ecosystem into one minor/patch bundle + a separate major PR.
3. Dependency review — anonymous Socket Firewall smoke on every dependency PR, an authenticated (enterprise) path for trusted members, report artifacts, and a single always-on required gate (no environment approval gate).
4. Core-tool supply-chain watch — discovers latest upstream versions of OpenGrep / TruffleHog / Trivy / Socket SCA and scores them through the Socket API.

1. Dependencies (supersedes 8 Dependabot PRs)

The four Python bumps are transitive/dev deps — runtime constraints in pyproject.toml are unchanged; targeted uv lock --upgrade-package only. The four docker/* action SHAs all live in _docker-pipeline.yml (majors pinned by SHA, validated by the smoke/publish builds). GitHub closing keywords don't close PRs, so the 8 Dependabot PRs must be closed manually after merge.

2. Dependabot config (.github/dependabot.yml)

• Adds the uv ecosystem — the gap that let the Python PRs pile up ungrouped.
• Every ecosystem (uv, docker ×2, github-actions) now groups into a weekly minor/patch bundle + a separate major PR.
• GitHub Actions also scans /.github/actions/* (the new composite action). 7-day cooldown retained.

3. Dependency review (.github/workflows/dependency-review.yml)

Renamed from dependabot-review.yml, now runs on every PR. inspect classifies the PR; exactly one Socket Firewall job runs when Python deps change:

• Enterprise (firewall-enterprise + token) — trusted in-repo (non-fork) non-Dependabot PRs (i.e. write-access holders). Only this job references the secret.
• Free (firewall-free, anonymous) — Dependabot, forks, external contributors, or whenever the token is absent.

Degrades to free whenever the token is missing, so it's safe to ship today and auto-upgrades to enterprise once the secret exists. Both jobs upload their sfw output as an artifact (sfw-report-free / sfw-report-enterprise).

Environment kept for secret scoping; approval rule forbidden (uniform with socket-python-cli#224). environment: socket-firewall scopes the token so only the enterprise job can read it — good hygiene, kept. The trap is a required-reviewers rule on that environment: the enterprise check can't itself be a required status check (it's skipped on Dependabot/fork PRs, and a never-created required check blocks merge forever), and a manual deployment gate is self-approvable (prevent_self_review defaults off; admins bypass) yet skippable — so the meaningful check silently never ran. Configure the environment with no reviewers:

gh api -X PUT repos/SocketDev/socket-basics/environments/socket-firewall \
  --input - <<<'{"wait_timer":0,"prevent_self_review":false,"reviewers":null,"deployment_branch_policy":null}'

Coverage is enforced instead by the always-on dependency-review-gate aggregator (Pattern 2): it needs every conditional job, fails on any failure/cancelled, and additionally requires the trust-appropriate SFW edition (free for Dependabot/forks, enterprise for maintainers) to have succeeded when Python deps changed; it's a no-op when no deps changed. It runs if: always() so the required context is always created (no Pattern-1 bypass twin needed). Mark only dependency-review-gate as the required status check — and merge it to main first, then add it to branch protection (requiring it before it exists strands every open PR).

Docker dep changes: the main image is already build-smoke-tested by smoke-test.yml, so only the app_tests image (uncovered elsewhere) is built here.

4. Core-tool supply-chain watch (core-tool-watch.yml + scripts/check_core_tools.py)

Three of socket-basics' four core tools — OpenGrep, TruffleHog, Trivy — ship as binaries / container images / GitHub releases Dependabot can't track; the fourth, Socket SCA (socketdev), is a PyPI package. The watcher:

• Discovers the latest upstream version of each (GitHub Releases API + PyPI) vs the repo pins (Dockerfile ARGs + uv.lock).
• Scores the package coordinates through the Socket API — dogfooding the socketdev SDK's purl.post() that socket-basics already depends on (pkg:pypi/..., pkg:golang/..., pkg:github/...; a missing result is reported, not failed).
• schedule / dispatch → watch: analyze pinned + latest, report drift, upsert a core-tool-drift issue. PR / push touching pins → build: analyze the versions a build would bake in and fail on a malware/critical alert.
• Uploads a core-tools-report artifact (markdown + JSON); degrades to discovery-only without a token. No environment gate (an approval gate would hang the cron run).

Live run today flagged drift on all four: OpenGrep v1.16.5→v1.22.0, TruffleHog 3.93.8→v3.95.5, Trivy 0.69.3→v0.71.0, socketdev 3.0.29→3.1.1 (adopting those is intentionally not in this PR).

5. Workflow plumbing

• .github/actions/setup-sfw composite action (Python 3.12 + uv + Socket Firewall, free/enterprise).
• python-tests.yml gains a uv lock --locked drift guard.
• No Dependabot-skip logic needed: socket-basics has no PR workflow (preview/version-gate) that should skip on Dependabot PRs.

⚠️ Operational prerequisites

1. GitHub Actions is currently disabled on this repo (actions/permissions → {"enabled":false}) — none of these workflows run in CI until Actions is enabled (Settings → Actions → General). Validated locally instead.
2. Create the socket-firewall environment with no reviewers rule (command above) and add the SOCKET_SFW_API_TOKEN secret to it — lights up the enterprise path + core-tool Socket scoring.
3. Mark dependency-review-gate as the single required status check on main — but only after this PR merges (so the check exists on main). Do not add a required-reviewers rule to the socket-firewall environment — that's the bypass blindspot this PR avoids.

Test plan

Local (all green):

• uv lock --locked · uv sync --locked --extra dev · import smoke
• pytest tests/ — 139 passed
• actionlint — clean · zizmor --offline — no findings · YAML parse on all .github files
• scripts/check_core_tools.py in watch and build mode (token-absent degradation)

Pending (needs Actions enabled + the secret):

• Maintainer dep PR → python-sfw-smoke-enterprise runs automatically (no approval), gate requires it
• Dependabot/fork dep PR → python-sfw-smoke-free runs, gate requires it
• core-tool-watch scheduled run scores all four PURLs through the Socket API

🤖 Generated with Claude Code