CLI-56: Adjust secret scan to sonar-secrets binary protocol changes

Pass --non-interactive flag to skip interactive auth prompt when running
file scans (binary hangs on open stdin waiting for user input otherwise).

Remove exit-code remap (1 -> 51): sonar-secrets v2.41 now returns 51
directly when secrets are found; exit 1 means a generic error.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: kirill-knize-sonarsource

src/commands/secret-scan.ts

@@ -190,7 +190,7 @@ async function runScan(
   authToken: string | undefined
 ): Promise<{ exitCode: number | null; stdout: string; stderr: string }> {
   return Promise.race([
-    spawnProcess(binaryPath, [file], {
+    spawnProcess(binaryPath, ['--non-interactive', file], {
       stdin: 'pipe',
       stdout: 'pipe',
       stderr: 'pipe',
@@ -342,8 +342,7 @@ function handleScanFailure(
     print(result.stdout);
   }
   blank();
-  // Binary exit 1 = secrets found — remap to 51 so hooks can distinguish from generic errors
-  process.exit(exitCode === 1 ? SECRET_SCAN_POSITIVE_EXIT_CODE : exitCode);
+  process.exit(exitCode);
 }
 
 function handleScanError(err: unknown): void {

tests/unit/secret-scan.test.ts

@@ -121,6 +121,23 @@ describe('secretCheckCommand: runs without authentication', () => {
     expect(spawnCall[2].env['SONAR_SECRETS_AUTH_URL']).toBe(SONARCLOUD_URL);
     expect(spawnCall[2].env['SONAR_SECRETS_TOKEN']).toBe(TEST_TOKEN);
   });
+
+  it('passes --non-interactive as first arg to binary for file scan', async () => {
+    spawnSpy.mockResolvedValue({
+      exitCode: 0,
+      stdout: JSON.stringify({ issues: [] }),
+      stderr: '',
+    });
+    const existsSpy = mockBinaryExists();
+    try {
+      await secretCheckCommand({ file: 'src/index.ts' });
+    } finally {
+      existsSpy.mockRestore();
+    }
+
+    const spawnCall = spawnSpy.mock.calls[0];
+    expect(spawnCall[1][0]).toBe('--non-interactive');
+  });
 });
 
 // ─── Successful scan paths ────────────────────────────────────────────────────
@@ -221,9 +238,9 @@ describe('secretCheckCommand: successful scan', () => {
 // ─── Failed scan paths ────────────────────────────────────────────────────────
 
 describe('secretCheckCommand: scan failures', () => {
-  it('exits 51 when binary exits 1 (secrets found)', async () => {
+  it('exits 51 when binary exits 51 (secrets found)', async () => {
     await setupAuthenticatedState();
-    spawnSpy.mockResolvedValue({ exitCode: 1, stdout: '', stderr: '' });
+    spawnSpy.mockResolvedValue({ exitCode: 51, stdout: '', stderr: '' });
 
     const existsSpy = mockBinaryExists(true);
     try {
@@ -237,6 +254,20 @@ describe('secretCheckCommand: scan failures', () => {
     expect(errors.some(m => m.includes('Scan failed'))).toBe(true);
   });
 
+  it('exits 1 when binary exits 1 (error, not secrets found)', async () => {
+    await setupAuthenticatedState();
+    spawnSpy.mockResolvedValue({ exitCode: 1, stdout: '', stderr: 'unexpected error' });
+
+    const existsSpy = mockBinaryExists(true);
+    try {
+      await secretCheckCommand({ file: 'src/index.ts' });
+    } finally {
+      existsSpy.mockRestore();
+    }
+
+    expect(mockExit).toHaveBeenCalledWith(1);
+  });
+
   it('displays stderr when scan fails with error output', async () => {
     await setupAuthenticatedState();
     const stderrMsg = 'Connection refused to auth server';
@@ -368,9 +399,9 @@ describe('secretCheckCommand: stdin scan', () => {
     expect(mockExit).toHaveBeenCalledWith(0);
   });
 
-  it('exits 51 when binary exits 1 during stdin scan (secrets found)', async () => {
+  it('exits 51 when binary exits 51 during stdin scan (secrets found)', async () => {
     await setupAuthenticatedState();
-    spawnSpy.mockResolvedValue({ exitCode: 1, stdout: '', stderr: 'secret found' });
+    spawnSpy.mockResolvedValue({ exitCode: 51, stdout: '', stderr: 'secret found' });
 
     const existsSpy = mockBinaryExists(true);
     try {