fix: return non-zero exit code when scan report data is not healthy

Fixes the issue where socket ci would exit with code 0 even when blocking alerts were found.

This is the expected behaviour based on our docs: https://docs.socket.dev/docs/socket-ci#non-zero-exit-code

Author: Graydon Hope

packages/cli/src/commands/scan/output-scan-report.mts

@@ -91,6 +91,11 @@ export async function outputScanReport(
     return
   }
 
+  if (!scanReport.data.healthy) {
+    // When report contains healthy: false, process should exit with non-zero code.
+    process.exitCode = 1;
+  }
+
   // I don't think we emit the default error message with banner for an unhealthy report, do we?
   // if (!scanReport.data.healthy) {
   //   logger.fail(failMsgWithBadge(scanReport.message, scanReport.cause))

packages/cli/test/unit/commands/scan/output-scan-report.test.mts

@@ -19,16 +19,37 @@
  * - src/commands/outputScanReport.mts (implementation)
  */
 
-import { describe, expect, it } from 'vitest'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
 import {
+  outputScanReport,
   toJsonReport,
   toMarkdownReport,
 } from '../../../../src/commands/scan/output-scan-report.mts'
 import { SOCKET_WEBSITE_URL } from '../../../../src/constants/socket.mts'
 
 import type { ScanReport } from '../../../../src/commands/scan/generate-report.mts'
 
+const { mockGenerateReport, mockLogger } = vi.hoisted(() => ({
+  mockGenerateReport: vi.fn(),
+  mockLogger: { log: vi.fn(), fail: vi.fn(), dir: vi.fn() },
+}))
+
+vi.mock('../../../../src/commands/scan/generate-report.mts', async () => {
+  const actual =
+    await vi.importActual<
+      typeof import('../../../../src/commands/scan/generate-report.mts')
+    >('../../../../src/commands/scan/generate-report.mts')
+  return {
+    ...actual,
+    generateReport: mockGenerateReport,
+  }
+})
+
+vi.mock('@socketsecurity/lib-internal/logger', () => ({
+  getDefaultLogger: () => mockLogger,
+}))
+
 describe('output-scan-report', () => {
   describe('toJsonReport', () => {
     it('should be able to generate a healthy json report', () => {
@@ -159,6 +180,71 @@ describe('output-scan-report', () => {
       `)
     })
   })
+
+  describe('outputScanReport exit code behavior', () => {
+    const originalExitCode = process.exitCode
+
+    beforeEach(() => {
+      process.exitCode = undefined
+      vi.clearAllMocks()
+    })
+
+    afterEach(() => {
+      process.exitCode = originalExitCode
+    })
+
+    it('sets exit code to 1 when report is unhealthy', async () => {
+      mockGenerateReport.mockReturnValue({
+        ok: true,
+        data: getUnhealthyReport(),
+      })
+
+      await outputScanReport(
+        {
+          ok: true,
+          data: { scan: [], securityPolicy: {} },
+        } as any,
+        {
+          orgSlug: 'test-org',
+          scanId: 'test-scan',
+          includeLicensePolicy: false,
+          outputKind: 'json',
+          filepath: '-',
+          fold: 'none',
+          reportLevel: 'error',
+          short: false,
+        },
+      )
+
+      expect(process.exitCode).toBe(1)
+    })
+
+    it('does not set exit code when report is healthy', async () => {
+      mockGenerateReport.mockReturnValue({
+        ok: true,
+        data: getHealthyReport(),
+      })
+
+      await outputScanReport(
+        {
+          ok: true,
+          data: { scan: [], securityPolicy: {} },
+        } as any,
+        {
+          orgSlug: 'test-org',
+          scanId: 'test-scan',
+          includeLicensePolicy: false,
+          outputKind: 'json',
+          filepath: '-',
+          fold: 'none',
+          reportLevel: 'error',
+          short: false,
+        },
+      )
+
+      expect(process.exitCode).toBeUndefined()
+    })
+  })
 })
 
 function getHealthyReport(): ScanReport {