ci(lockfile_supply_chain_audit): scope defaults to the no-args case

When a caller passes an explicit --npm-lockfile or --cargo-lockfile, they are scoping the scan to the paths they listed; the script was still silently grafting the other ecosystem's defaults on top, which meant `--npm-lockfile X` would also audit DEFAULT_CARGO_LOCKFILES. With the missing-lockfile Finding now emitted, that surfaced as a false positive whenever a caller explicitly scoped only one ecosystem. Default fallback is now reserved for the no-args CI invocation, where every default path is expected to exist.
2026-05-19 07:42:36 +00:00 · 2026-05-16 13:29:56 +00:00 · 2026-05-16 13:29:56 +00:00 · 032eb880d9
commit 032eb880d9
parent b743e1b4ff
1 changed files with 12 additions and 2 deletions
--- a/scripts/lockfile_supply_chain_audit.py
+++ b/scripts/lockfile_supply_chain_audit.py
@ -751,8 +751,18 @@ def main(argv: list[str] | None = None) -> int:
            return 0

    root = Path(args.root).resolve()
-    npm_paths = [root / p for p in (args.npm_lockfile or DEFAULT_NPM_LOCKFILES)]
-    cargo_paths = [root / p for p in (args.cargo_lockfile or DEFAULT_CARGO_LOCKFILES)]
+    # When the user passes an explicit `--npm-lockfile` or
+    # `--cargo-lockfile` they are scoping the scan to exactly those
+    # paths; do NOT silently graft the other ecosystem's defaults on
+    # top. Falling back to defaults is reserved for the no-args CI
+    # invocation, where every default path must exist.
+    _user_explicit = args.npm_lockfile is not None or args.cargo_lockfile is not None
+    if _user_explicit:
+        npm_paths = [root / p for p in (args.npm_lockfile or ())]
+        cargo_paths = [root / p for p in (args.cargo_lockfile or ())]
+    else:
+        npm_paths = [root / p for p in DEFAULT_NPM_LOCKFILES]
+        cargo_paths = [root / p for p in DEFAULT_CARGO_LOCKFILES]

    all_findings: list[Finding] = []
    for p in npm_paths: