Fix reachability filtering, add config file support

[lelia]

Summary

This PR aligns reachability alert selection behavior across diff-based output channels and improves config/documentation ergonomics.

Previously, selection behavior diverged by channel (Console/JSON/SARIF/Slack), especially around --strict-blocking and reachability-only filtering. This PR introduces a shared selection path and updates tests/docs accordingly.

Major Changes

• Shared alert selection module

  • Added socketsecurity/core/alert_selection.py.
  • Centralizes:
    • diff alert selection (new vs new + unchanged with strict mode),
    • reachability filtering against .socket.facts.json,
    • fallback behavior when facts are unavailable.

• Output consistency updates

  • OutputHandler now uses shared selection for:
    • Console table output,
    • JSON output,
    • diff-scope SARIF generation.
  • In strict diff mode, selected diff alerts include unchanged findings for output paths that render diff alerts.

• Slack consistency updates

  • Slack diff notifications now use the same diff selection rules.
  • reachability_alerts_only now uses reachability facts when available (with fallback preserved), rather than relying solely on blocking status heuristics.

• Config/docs improvements

  • Added ability to load a config file rather than pass all params as CLI flags.
  • Generated JSON and TOML sample configs for reference (in examples/config).
  • Updated README/docs with:
    • “Choose your mode” guidance,
    • explicit dashboard-vs-CLI count caveats,
    • updated strict/reachability behavior notes.

Testing

Added/updated unit coverage for:

• shared selection behavior matrix,
• strict mode inclusion of unchanged alerts in diff outputs,
• Slack reachability-only filtering behavior,
• SARIF reachability filtering behavior and regressions.

Also performed manual verifications by running the CLI against a representative repository and comparing various scoped/grouped results in SARIF and console outputs.

⚠️ Note: Exact dashboard count parity may still vary due to API/UI consolidation/grouping differences; docs now call this out explicitly.

[github-actions]

🚀 Preview package published!

Install with:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.2.78.dev3

Docker image: socketdev/cli:pr-169