Update README to document new filtering options and required use of --reach flag

lelia · lelia · commit 3fe77d7b0c62 · 2026-03-03T16:26:13.000-05:00
Signed-off-by: lelia &lt;lelia@socket.dev&gt;
diff --git a/README.md b/README.md
@@ -114,7 +114,7 @@ This will simultaneously generate:
 - SARIF report to `results.sarif` (and stdout)
 - GitLab Security Dashboard report to `gl-dependency-scanning-report.json`
 
-> **Note:** `--enable-sarif` prints SARIF to stdout only. Use `--sarif-file <path>` to save to a file (this also implies `--enable-sarif`). These are independent from `--enable-gitlab-security`, which produces a separate GitLab-specific Dependency Scanning report.
+> **Note:** `--enable-sarif` prints SARIF to stdout only. Use `--sarif-file <path>` to save to a file (this also implies `--enable-sarif`). Add `--sarif-reachable-only` (requires `--reach`) to filter results down to only reachable findings — useful for uploading to GitHub Code Scanning without noisy alerts on unreachable vulns. These flags are independent from `--enable-gitlab-security`, which produces a separate GitLab-specific Dependency Scanning report.
 
 ### Requirements
 
@@ -130,7 +130,7 @@ socketcli [-h] [--api-token API_TOKEN] [--repo REPO] [--workspace WORKSPACE] [--
           [--target-path TARGET_PATH] [--sbom-file SBOM_FILE] [--license-file-name LICENSE_FILE_NAME] [--save-submitted-files-list SAVE_SUBMITTED_FILES_LIST]
           [--save-manifest-tar SAVE_MANIFEST_TAR] [--files FILES] [--sub-path SUB_PATH] [--workspace-name WORKSPACE_NAME]
           [--excluded-ecosystems EXCLUDED_ECOSYSTEMS] [--default-branch] [--pending-head] [--generate-license] [--enable-debug]
-          [--enable-json] [--enable-sarif] [--sarif-file <path>] [--enable-gitlab-security] [--gitlab-security-file <path>]
+          [--enable-json] [--enable-sarif] [--sarif-file <path>] [--sarif-reachable-only] [--enable-gitlab-security] [--gitlab-security-file <path>]
           [--disable-overview] [--exclude-license-details] [--allow-unverified] [--disable-security-issue]
           [--ignore-commit-files] [--disable-blocking] [--enable-diff] [--scm SCM] [--timeout TIMEOUT] [--include-module-folders]
           [--reach] [--reach-version REACH_VERSION] [--reach-analysis-timeout REACH_ANALYSIS_TIMEOUT]
@@ -200,6 +200,7 @@ If you don't want to provide the Socket API Token every time then you can use th
 | --enable-json             | False    | False   | Output in JSON format                                                             |
 | --enable-sarif            | False    | False   | Enable SARIF output of results instead of table or JSON format (prints to stdout) |
 | --sarif-file              | False    |         | Output file path for SARIF report (implies --enable-sarif). Use this to save SARIF output to a file for upload to GitHub Code Scanning, SonarQube, VS Code, or other SARIF-compatible tools |
+| --sarif-reachable-only    | False    | False   | Filter SARIF output to only include reachable findings (requires --reach)         |
 | --enable-gitlab-security  | False    | False   | Enable GitLab Security Dashboard output format (Dependency Scanning report)       |
 | --gitlab-security-file    | False    | gl-dependency-scanning-report.json | Output file path for GitLab Security report                |
 | --disable-overview        | False    | False   | Disable overview output                                                           |
